13.4 Lab: DOM XSS in innerHTML sink using source location.search | 2023
This lab contains a DOM-based XSS vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search. To solve this lab, perform a XSS attack that calls the alert function
Description
This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML
assignment, which changes the HTML contents of a div
element, using data from location.search
.
To solve this lab, perform a cross-site scripting attack that calls the alert
function.
Pre-Requisite
Solution
- Paste the payload into the Search box
<img src=1 onerror=alert(1)>
- Click “Search”.
The value of the src
attribute is invalid and throws an error. This triggers the onerror
event handler, which then calls the alert()
function. As a result, the payload is executed whenever the user's browser attempts to load the page containing your malicious post.
If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials