HACKR.GG
hackr.gg — NoteSnap Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

NoteSnap

DOM XSS · DOM-Based XSS (Hash Source → innerHTML Sink)
Difficulty
Easy
Vuln class
DOM-Based XSS (Hash Source → innerHTML Sink)
Steps
3
// Objective
Craft a URL fragment that injects HTML into the page via location.hash → innerHTML and steal the session cookie.
// Tools required
Browser
// Step-by-step walkthrough
1
Understand the source
NoteSnap reads location.hash (everything after # in the URL) and writes it directly to innerHTML. The hash is never sent to the server — it is purely client-side.
Command / Input
http://localhost:$PORT/#<b>test</b>
If "test" renders bold, innerHTML is confirmed as the sink.
2
Inject an XSS payload via the hash
Use an img tag with onerror since it fires even when no server request is needed.
Command / Input
http://localhost:$PORT/#<img src=x onerror=alert(document.cookie)>
Output
Alert popup showing the session cookie with the flag.
URL-encode the payload if the browser strips characters: use encodeURIComponent in the console.
3
Read the flag
The flag is the value of the session cookie shown in the alert.
Output
HackrGG{d0m_h4sh_s0urc3_1nj3ct10n}
// Flag
Flag value
HackrGG{d0m_h4sh_s0urc3_1nj3ct10n}
In the session cookie — revealed when your hash-based XSS payload executes.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute