03 - DOM XSS in document.write sink using source location.search

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

Given - XSS in search functionality
End goal - call alert function

Start the lab, on hompage there would be a search functionality. If i search for the word hello -

After looking in the source code we get that our search keyword is directly getting added into image's href attribute. Now construct the payload that closes the tag and call the function.

Payload - "><script>alert(3)</script>

It popped up a alert

Lab solved :

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell