Lab: DOM XSS in `innerHTML` sink using source `location.search`

APPRENTICE

This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

ACCESS THE LAB

Solution

Enter the following into the into the search box:
<img src=1 onerror=alert(1)>
Click "Search".

The value of the src attribute is invalid and throws an error. This triggers the onerror event handler, which then calls the alert() function. As a result, the payload is executed whenever the user's browser attempts to load the page containing your malicious post.

Community solutions

z3nsh3ll

Michael Sommer

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here

Lab: DOM XSS in innerHTML sink using source location.search