Lab: DOM XSS in innerHTML sink using source location.search

APPRENTICE

This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

Solution

  1. Enter the following into the into the search box:

    <img src=1 onerror=alert(1)>
  2. Click "Search".

The value of the src attribute is invalid and throws an error. This triggers the onerror event handler, which then calls the alert() function. As a result, the payload is executed whenever the user's browser attempts to load the page containing your malicious post.

Community solutions

z3nsh3ll
Michael Sommer