Identify the location.search field used in a script in the home page. Notice it takes a user input from search and insert an <img src=x onerror=alert()> to trigger the XSS and solve the lab.
In principle, a website is vulnerable to DOM-based cross-site scripting if there is an executable path via which data can propagate from source to sink. In practice, different sources and sinks have differing properties and behavior that can affect exploitability, and determine what techniques are necessary. Additionally, the website’s scripts might perform validation or other processing of data that must be accommodated when attempting to exploit a vulnerability. There are a variety of sinks that are relevant to DOM-based vulnerabilities. Please refer to the list below for details.
The document.write sink works with script elements, so you can use a simple payload, such as the one below:
The innerHTML sink doesn’t accept script elements on any modern browser, nor will svg onload events fire. This means you will need to use alternative elements like img or iframe. Event handlers such as onload and onerror can be used in conjunction with these elements. For example:
This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.
To solve this lab, perform a cross-site scripting attack that calls the alert function.
Write-up
Land on the home page and lookup for the search functionality. Quick search for location.search shows us the following script :
function doSearchQuery(query) { document.getElementById('searchMessage').innerHTML = query;}var query = (new URLSearchParams(window.location.search)).get('search');if(query) { doSearchQuery(query);}
Simply put, our input is inserted in the webpage through the URL search parameter. Since this time it’s innerhtml, script are not working and we need to use an img tag such as :
<img src=x onerror=alert()>
Using this in our search URL or through the search input feature solves the lab.
