Level 11: LocalStorage Poisoning
MISSION: This is a 2-step attack. Inject a payload into LocalStorage using the URL parameter, then refresh the page to see your persistent DOM XSS trigger.
[Default Banner - No custom data found]
/// SOURCE CODE INSPECTOR ///
// Client-Side Storage Logic
const params = new URLSearchParams(window.location.search);
const saveBanner = params.get('save_banner');
// 1. If 'save_banner' is in the URL, it saves it to LocalStorage
if (saveBanner) {
localStorage.setItem('custom_banner', saveBanner);
}
// 2. On page load, it blindly renders the LocalStorage data
let banner = localStorage.getItem('custom_banner');
if (banner) {
document.getElementById('banner-area').innerHTML = banner;
}/// DECRYPTION COMPLETE ///
This is a persistent client-side vulnerability. First, the payload is saved to the browser's LocalStorage via the URL parameter. Second, the page reads from LocalStorage and renders it unsafely via innerHTML. Once injected, the XSS triggers every time the victim visits the page.
Step 1 (Visit this URL):
?save_banner=<img src=x onerror=alert(1)>Step 2: Refresh the page or visit /level11 without parameters.