DOM-based XSS (location.hash → innerHTML)

/dom · sink: element.innerHTML

Pure client-side sink. No reflection through the server.

This page reads location.hash and writes it directly into the DOM via innerHTML. Edit the URL fragment and reload.

Try: https://xss.vulnlab.dev/dom/#<img src=x onerror=alert(1)>

Live render of the fragment

(load the page with a # fragment to see it here)

Hint

The page reads location.hash on load and writes it into the DOM via innerHTML. Try /dom/#<img src=x onerror=alert(1)>. Because the fragment is never sent to the server, server-side DAST scanners that only inspect responses will miss this entirely.

View source for this lab → · /meta/dom