Course

In this example, you will explore a DOM-based XSS vulnerability on a static page. The JavaScript code on the page retrieves the anchor portion of the URL and writes it into the page using `document.write` without proper escaping. This behavior can be exploited to execute arbitrary JavaScript code by manipulating the URL.

The lab highlights how modern browsers encode the URL fragment, necessitating the use of `decodeURIComponent` to decode the fragment before writing it to the page. This example illustrates how older browsers were susceptible to such attacks even without decoding, and how the vulnerability persists with the use of `decodeURIComponent`. By understanding the source code and observing the rendered HTML, you can craft a payload that demonstrates the XSS vulnerability.