[https://ch6.sbug.se](https://ch6.sbug.se)

This is simple challenge as the site title writes. As the challenge title writes i have to do alert with xss Analyzing the source code I found some scripts

```javascript
function loadObj(){
var cc=eval('('+unescape(aacc)+')');
document.getElementById('msg').textContent=cc.message;
}

if(window.location.hash.indexOf('mass')==-1)
var aacc="({\"message\":\"Hello User!\"})";
else
var aacc=location.hash.substr(window.location.hash.indexOf('mass=')+5);
```


```js
onload="loadObj()"
```

```js
id="msg"
```

```js
var tmp =location.hash;

$.ajax({
type: "POST",
url: "Tc5IQib027qvyjSMfHjOMaLk.php",
data: {"tmp":tmp},
success: function(data,status){
eval(data)
}
});
```

This script checks if there is something after `#` symbol in page url and if there is `mass=` evals the rest. The loadObj function is called everytime the page is refreshed. The getElementById changes the "Hello User" to evaled message and writes it to the page. The ajax requests sends the evaled data to a php script which contains the flag and evals the code after #

Easy eval. I used the simplest `alert(1)` as the xss payload got that url and refreshed the page. XSS worked and there was also the flag
[https://ch6.sbug.se/#mass=alert(1)](https://ch6.sbug.se/#mass=alert(1))

> FLAG{DOMDOM-XSS-1337}