In this post, we’re going to solve the lab: “DOM XSS in document.write sink using source location.search”:

DOM XSS lab description

When we open the lab, the first thing we see is the following website:

Lab main page

There’s a search bar, so let’s try simply searching for something:

Test search in the search bar

Search result in the source code

When we perform the search, if we right-click and view the source code of the element for the word we searched for, we can see that it’s located in the src attribute of an image.

By observing how our input is implemented in the source code, we can send a specialized payload that escapes from the <img> tag.

For example, let’s use:

  • "><script>alert("XSS")</script>//

XSS payload in the search bar

Once we’ve written our payload, we simply perform another search:

Successful alert execution

And as we can see, the code we introduced gets executed. The source code would now look like this:

Source code with executed payload

As we can see, our input is no longer inside the <img>, since we managed to close the element to write JavaScript code.

With this done, we successfully solve the lab:

Lab successfully completed

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page