[5/6] Level 5: DOM-Based XSS
Mission Description
This level demonstrates DOM-based XSS, where the vulnerability exists
entirely in client-side code. The application uses
location.hash to dynamically update content without proper
sanitization.
Mission Objective: Use the URL hash fragment to execute JavaScript.
Email Signup
Hints
The application reads from
location.hash and uses it to
display a welcome message. Try adding #welcome to the URL.
The hash value is being inserted with
innerHTML. Can you
inject HTML that will execute JavaScript?
Try this URL:
#<img src=x onerror="alert('XSS')">
function checkHash() {
if (location.hash) {
const message = location.hash.substring(1);
const confirmation = document.getElementById('confirmation');
// VULNERABLE: DOM-based XSS via location.hash
confirmation.innerHTML = decodeURIComponent(message);
confirmation.classList.add('show');
}
}
// Check on load and hash change
window.addEventListener('load', checkHash);
window.addEventListener('hashchange', checkHash);