DUCA beginner CTF
XSS Playground
Enter your name below. This application is intentionally vulnerable.
Rendered output (unsafe)
Values stored in the browser
username: user
isAdmin: false
Example payloads
<script>alert(1)</script><script>alert(isAdmin)</script>
Challenge goal: Use the unsafe name input to change
isAdmin from false to true.
Hint 1
If input is treated as HTML and JavaScript instead of plain text,
tags like <script> can run.
Hint 2
Look at the variable names shown on screen. Can you change
isAdmin from false to true?