In this post, we will be solving the lab: “DOM XSS in document.write sink using source location.search inside a select element”.

DOM XSS lab description

In this case, to solve the challenge we need to escape from the select element and call the alert function.

The first thing to do is access the lab:

Lab main page

Once we’ve accessed it, we can see several products. Let’s enter any one:

List of available products

When we enter, we can see a function to check stock in different cities:

Individual product view

City selector to verify stock

Stock verification result

If we look at the website’s source code, we can find the following code:

JavaScript script in the source code

Analyzing the script a bit, we basically understand that in addition to the three default cities to check stock, one more can be added through the storeId variable in the URL. So we can try adding that variable with any value:

URL with storeId parameter added

Once we access the website again but with the storeId variable, if we look at the cities:

New city added to the selector

We can see that one more has been added, specifically one with the name of the value we passed to the variable.

If we go back to the source code, we can see how this parameter is implemented:

Parameter implementation in the code

So, observing this, we can try putting a value that causes us to escape from the options element itself and execute an alert:

URL with malicious XSS payload

When accessing the website with this value in the variable:

Successful alert execution

The alert is executed. In the source code, we can see the following:

Source code showing successful escape

And this way, we manage to solve the lab:

Lab successfully completed

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page