NoteSnap — DOM XSS via Hash Source

NoteSnap reads location.hash and writes it directly to innerHTML. Craft a URL fragment with an XSS payload to steal the session cookie.

Step-by-step walkthrough ↗

Craft a URL fragment that injects HTML into the page via location.hash → innerHTML and steal the session cookie.