Lab 4
Level 1 - Beginner
DOM XSS Basics Lab
Level 1 Client-Side Security simulation: learn how browser-side JavaScript can create XSS risk when it injects user input into unsafe DOM sinks.
Beginner
Client-Side Security • 20 min
Learning Objectives
This lab is a controlled simulation only. No real backend or dangerous code execution is used.
Objective 1
Review a fake page flow where JavaScript reflects user-controlled input into the DOM.
Objective 2
Identify how DOM-based XSS differs from server-side rendering issues.
Objective 3
Learn why unsafe sinks like innerHTML can turn input into executable browser content.
Challenge Area
Use the input fields below to safely simulate the vulnerable behavior.
DOM Injection Payload
Fake DOM Renderer
Source: window.location.hash or form input
Sink: innerHTML-style preview
Submitted payload: (none yet)
Result Panel
Review the fake DOM rendering flow and enter a payload that demonstrates how browser-side JavaScript can turn user input into executable content.
Hints
Reveal them progressively if you get stuck.
Click the hint button to reveal progressive guidance.