Lab: DOM XSS in document.write sink using source


  • We click on access the lab


  • We land on this page

  • It mentions a source in the title so the search box is definitely where we should try our injection.

  • Here is the js code for the search

function trackSearch(query) {
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
var query = (new URLSearchParams('search');
if(query) {
  • We can see that it is taking our input and it will be used in the img tag.

  • Indeed if we type test for example, we can then if we inspect the element see that our string is in the src of the image tag

  • So to get an alert we can try to close the img tag and put another tag with an alert in it let's try this "><script>alert(1)</script>

  • And it works!

Last updated