Clarification regarding exercise 4 task 1e) (question 5)

Question

Hello,

In Exercise 4 Task 1e) (question 5) we are expected to use the vulnerable query parameter to get "alert(document.location)" to execute without user interaction.

Does this mean the user should not even have to press "Purchase" to trigger the alert?

Kind regards

Answer 1

Yes, you should provide a query parameter that an attacker can use to trigger XSS, where a victim does not need to use the "Purchase" button in the form.