Your alert() XSS test fires but the popup is blank — what does that tell you?
Short answer
It confirms XSS. If alert() fired at all, the browser parsed and executed your injected JavaScript in the page context — that is the vulnerability. A blank/empty popup just means the string argument you passed didn't render as expected (quote handling, encoding, or context mangling broke the message), not that the payload is being blocked. The execution sink is live; you refine the payload from here.
This trap punishes outcome-watching over mechanism-understanding. A junior tester sees an empty box and concludes "didn't work — must be sanitized." The opposite is true: the empty box is proof the site is vulnerable.
What actually happened
alert() is a JavaScript function. For a popup to appear at all, the browser had to parse your injection as code and execute it in the page's origin. That is the entire definition of cross-site scripting: attacker-controlled input running as script in the victim's context. The dialog appearing is the success signal. Confirmed XSS.
Why the message is blank
The empty content tells you only that the string you passed to alert() didn't survive intact. Common causes: your quotes collided with the surrounding HTML/JS context and truncated the argument; the app HTML-encoded or stripped part of the string but not the script-executing characters; or the value went through a transformation (e.g. into an attribute, then reflected) that mangled the payload's text while leaving the execution path open. The sink runs; the data you fed it got chewed up. That is a payload-crafting problem, not a "not vulnerable" verdict.
What to do next
Refine the payload for the exact context — fix quoting, switch delivery (e.g. alert(document.domain) or template literals), and then demonstrate real impact such as reading document.cookie or making an authenticated request. The blank alert is your green light to escalate, not stop.
What interviewers look for
The candidate must recognise that execution = vulnerability, separate the sink firing from the payload rendering, and treat the blank popup as a refinement step. Concluding "sanitized, not vulnerable" is the disqualifying answer.
Likely follow-ups
- Why is the fact that alert() executed at all the important signal?
- How might quote/encoding handling produce an empty alert message?
- How would you adapt the payload to prove impact (e.g. exfiltrate document.cookie)?