PS - DomXSS

Lab: DOM XSS in document.write sink using source location.search

• Lab on PortSwigger

Instructions

instruction

• We click on access the lab

Resolution

• We land on this page

landing

• It mentions a location.search source in the title so the search box is definitely where we should try our injection.

• Here is the js code for the search

function trackSearch(query) {
    document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
}
var query = (new URLSearchParams(window.location.search)).get('search');
if(query) {
    trackSearch(query);
}

• We can see that it is taking our input and it will be used in the img tag.

• Indeed if we type test for example, we can then if we inspect the element see that our string is in the src of the image tag

in img tag

• So to get an alert we can try to close the img tag and put another tag with an alert in it let's try this "><script>alert(1)</script>

alert

• And it works!

Solved