# PS - DomXSS

## Lab: DOM XSS in document.write sink using source location.search

* [Lab on PortSwigger](https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink)

### Instructions

![instruction](/files/HYMeCxA6FD4gBufvWLqj)

* We click on access the lab

### Resolution

* We land on this page

![landing](/files/iHnYd6NaiPRkh5WcnIcq)

* It mentions a location.search source in the title so the search box is definitely where we should try our injection.
* Here is the js code for the search

```js
function trackSearch(query) {
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
}
var query = (new URLSearchParams(window.location.search)).get('search');
if(query) {
    trackSearch(query);
}
```

* We can see that it is taking our input and it will be used in the img tag.
* Indeed if we type test for example, we can then if we inspect the element see that our string is in the src of the image tag

![in img tag](/files/rASUkvpWTbH4gpKLPsf5)

* So to get an alert we can try to close the img tag and put another tag with an alert in it let's try this `"><script>alert(1)</script>`

![alert](/files/fMHdkIAjfGb21xxzmST8)

* And it works!

![Solved](/files/0fkuaF7hGrH3AKqWiPtB)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/writeups/ps-xss/ps-domxss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.