DOM XSS Lab

www.almuthannax.com

This page is intentionally vulnerable. It reads ?payload= from the URL and writes it into the DOM with innerHTML.

What To Test

Open app.almuthannax.com and set the lab cookie.
Return here and trigger the cross-origin PUT.
Observe whether the app reports that the cookie arrived.

The request is cross-origin but same-site. That distinction is the core of this experiment.

Manual Trigger

Value to include in the PUT body

Waiting for request...

The app now reflects Access-Control-Allow-Origin for HTTPS subdomains under almuthannax.com, so this cross-origin PUT from www should be allowed again.

Vulnerable Sink

Current payload source: ?payload=

No payload provided.

Example payload: <img src=x onerror="runCredentialedPut()">