Welcome Banner

DOM Fragment XSS

The welcome banner reads `location.hash` and writes it via `innerHTML`, so a crafted fragment URL executes script in the victim's session.

CWE-79
Back to hub Reload scenario
Welcome
loading...

Try opening this page with #<img src=x onerror=alert(1)> appended.

Expected Findings

  • `location.hash` is parsed and written via `innerHTML`.
  • Fragments are not sent to the server, so server-side filtering misses the payload.
  • Same pattern reused on the password reset confirmation page.

Signals

Bug
el.innerHTML = "Hello " + decodeURIComponent(location.hash.slice(1))
Developed by vibe-eval.com for validation and testing purposes only.