[2/6] Level 2: Persistence

Mission Description

This level demonstrates stored (persistent) XSS where malicious scripts are saved to the server and executed every time the page is loaded.

Mission Objective: Post a message that will execute JavaScript for anyone who views the page.

Message Board

✓ Level Complete! You successfully executed a stored XSS attack.

Hints

This is similar to Level 1, but your input is being stored. Try posting HTML tags.
The vulnerability is in how posts are displayed. Each post's content is directly inserted into the page.
Post this message: <img src=x onerror="alert('XSS')">
let posts = [];

function addPost() {
  const message = document.getElementById('message').value;
  if (message.trim()) {
    posts.push(message);
    document.getElementById('message').value = '';
    renderPosts();
  }
}

function renderPosts() {
  const container = document.getElementById('posts');
  container.innerHTML = '';
  
  posts.forEach(post => {
    const div = document.createElement('div');
    div.className = 'post';
    // VULNERABLE: Directly inserting stored content
    div.innerHTML = `
      <div class="post-author">Anonymous</div>
      <div class="post-content">${post}</div>
    `;
    container.appendChild(div);
  });
}