← All Challenges
Challenge 45 of 66

DOM Manipulator

🟠 Hard Injection +100 XP

The page reads from location.hash and inserts it into the DOM via innerHTML. Craft a URL fragment that executes JavaScript.

DOM Manipulator // sandbox
DOM XSS happens entirely client-side. Use an img tag with onerror in the URL hash.

🏆 Challenge Complete!

+100 XP earned
Next Challenge →
← Prev Next →