Client XSS Exercises

There are some exercises ahead that will help you learn Client XSS by actually trying to exploit them.
The exercises contain the sections shown below.
You can make use of them to understand and then successfully perform them.

NOTE: This is not needed when the Source is URL or Navigation based.
Enter Payload
- If this button is present then its purpose is to help you debug this issue using the browser's built-in JavaScript debugger. To use this, first open the developer tools in the current page. Then click on this button, this will turn grey. Now when you submit the 'Execute Payload' button the browser will stop at a breakpoint set at the start of the vulnerable part of the code. You can step through each instruction from there. Click this button again to turn off this breakpoint.

Data Flow

Source of Data Data from Source Data to Sink Sink causing Execution
DOM property or method that returns potentially untrusted data The value of the data read from the Source The value of the data being assigned to the Sink DOM property or method that evaluates the assigned data as code

Vulnerable Code

    //Snippet of the code that has the vulnerability that affects this exercise.
    //Read this section to understand the vulnerability and find out the appropriate way to exploit it.