See if you can spot if the rendered HTML shows your alterations – or a popup box if you chose that route. If it does then you have spotted an XSS vulnerable site. If you are really lucky your changes will be written to database – thus making it persistent. If not – well, you can always find usages for a temporary XSS attack.
One of my all time favorite site feature is the ‘last published content’ section. Especially if the site is publicly open and users can post whatever they want. One of my standard tricks is to inject the following code whenever I find text input fields:
This was fairly brief and easy to do – and it really fascinates me. It’s really easy to fake being an elite hacker – we face them every day. Most of them are teenagers trying to impress – some are people curious about the limitations of the product(s) we produce. This is just one of the reasons I advocate secure coding as a principle.