The task is pretty simple, we have to change the text “Modify me” to “Modified you” and again change the text “Find me” to “Found you” dynamically using XSS vulnerability that we will find on the site.
First of all, we have to find out our injection point for the XSS payload in the site. After some inspection you will find your injection point, and that is the url parameter or the input field itself. Then we have to figure out the tags which we have to replace with custom text, and by inspecting the source code, you will find the first <h1> tag and third <h2> tag (heading tags) have to target.
<script> document.getElementsByTagName('H1').innerHTML="Found You"; document.getElementsByTagName('H2').innerHTML="Modified You"; </script>
Then just copy the source code above and paste it into input field of the target web page. The first code line will go and pick the first h1 tag (heading 1) and replace it with our custom text “Found You”. And second line will again go and get the 3rd h2 tag (heading 2) and change it with our custom text “Modified You”.
Remeber, If you are putting the XSS payload into the URL after the url parameter, then you have to url encode it first and then put it into the URL after the url parameter.