=

03 - DOM XSS in document.write sink using source location.search

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

Given XSS in search functionality

End goal call alert function

Start the lab, on home page there would be a search functionality. To get the context let search for the word 'hello' -

search

Open the inspect element section using shortcut ctrl + shift + c, After that use ctrl + f to find that word (hello) which you have entered for searching. We get that our search keyword is directly getting added into image's href attribute. Now construct the payload that closes the tag and call the function.

source code

Payload "><script>alert(3)</script>

By using above payload we can close the img tag and then create our own Script tag who runs the alert function to fulfill our end goal.

search

After searching with the payload we will get the pop alert window as following :

popup
Lab solved :
comment
(If you have any type of query / Question / suggestion .. feel free to ask below. We would be happy to connect you. Have a great day buddy!!)