A simulated cybersecurity training forum.
Hint 1: Try to access the forum as an administrator. This training environment is intentionally vulnerable, so think carefully about how websites improperly render user input.
In this simulation, the login page was intentionally vulnerable. Normally, websites should treat usernames and passwords as plain text. However, in Vulnerable Mode, the webpage improperly handled user input and allowed HTML code to be interpreted by the browser.
When you entered payloads like <img src=x onerror=alert('XSS')>, the browser treated the input as executable code instead of harmless text. This demonstrates the core idea behind Cross-Site Scripting (XSS): attackers inject code into webpages that execute inside another user's browser.
Real attackers may use XSS to steal cookies, redirect users, impersonate accounts, or modify webpages. In this simulator, the payload only creates harmless alerts so students can safely observe the behavior.
Secure Mode prevents this by escaping special HTML characters before displaying user input. That means the browser displays the code as text instead of executing it.
This webpage simulates how Cross-Site Scripting (XSS) works inside a forum website. Try the demo payloads below in the Search, Login, Post, and Comment sections to observe what happens in Vulnerable Mode, then switch to Secure Mode to see how protection works.
<script>alert('XSS')</script><img src=x onerror=alert('Image XSS')><svg onload=alert('SVG XSS')><b>Injected HTML</b>Instructions:
Current mode: Vulnerable
Logged in as Training User
In Secure Mode, the simulator escapes dangerous HTML characters before displaying user input. This prevents browsers from interpreting injected code as executable scripts.
innerHTML renderingtextContent whenever possibleThis simulator is designed only for safe cybersecurity education in controlled environments.