Split XSS Lab

This lab is to go with the Split XSS blog post.

The challenge is to get a working, and useful, XSS exploit within the limits of the two forms. I've given you jQuery, it is possible to do it without it, but it may require a short domain name for the first exercise.

In the real world the values would be saved and the XSS persistent rather than reflected as it is here.

Limited Space

Concatenated Strings


Lab created by Robin Wood - DigiNinja