Secure Legion Labs
Labs / XSS / DOM

Advanced Lab

DOM XSS - Filter Bypass Challenge

This challenge reads payloads from the query string or hash fragment, applies weak sanitization, and renders the result back into the DOM. The goal is to understand the browser-side data flow and land execution.

ObjectiveReach DOM executionDrive attacker-controlled browser data into a dangerous sink.
DifficultyIntermediateTwo sources, weak cleanup, and multiple render paths.
FlagUnlock on solveThe flag appears once the lab detects a successful path.
Input Surface

Sources the page reads from

  • Query?input=payload
  • Hash#payload
Hint: If one client-side route looks blocked, think about whether the browser still has other ways to turn your input into active HTML.
Filter Logic

What the application tries to stop

The page strips broad script references, removes common event handler names, and replaces alert. It still leaves realistic bypass routes for a learner who understands the sink.

replace(/script/gi, "")
replace(/onerror/gi, "")
replace(/onload/gi, "")
replace(/alert/gi, "blocked")
Lab Console

Drive a payload

Pick a source, launch a payload, and the console will sync it into the current page without forcing a full reload.

Current source: ?input=
DOM output preview
Dangerous Sink

Output

The value is rendered through innerHTML and mirrored through a debug line to simulate multiple client-side render paths.

No input provided.

Status: waiting for user input.

Flag Unlock

Challenge flag

The flag appears here after the lab detects a successful execution path.

Flag:
Submit Flag

Validate completion

Submit the exact unlocked flag to finish this room.

Flag is locked until you trigger the challenge condition.

Execution Path

How the vulnerability works

1. Read input

The page collects attacker-controlled data from the query string or hash fragment.

2. Weak cleanup

Basic string replacement removes only a few obvious patterns.

3. Inject into DOM

The cleaned value is still treated as HTML and rendered by the browser.