10:
https://hackxpert.com/RXSS/DOM/10.php?default=%3Cscript%3Ealert(document.cookie)%3C/script%3E
If you inspect the javascript, you will realise there is a DOM sink in there:
document.write("<OPTION value=1>"+decodeURIComponent(document.location.href.substring(document.location.href.indexOf("default=")+8))+"</OPTION>");
It's going to look for the parameter "default" and try to display it in the first option of the dropdown. You can insert any XSS attack vector into there.