← vuln-lab catalog

DOM-based XSS

The fragment (location.hash) is written straight into the page via innerHTML — a client-side sink with no sanitization.

(waiting for #hash)

Trigger: /xss/dom.html#<img src=x onerror=alert(1)>

Detected by: browser_cdp_dom_xss_trace, browser_cdp_js_sink_monitor