In this post, we are going to solve the lab: “DOM XSS in innerHTML sink using source location.search”.

Lab homepage for DOM XSS in innerHTML sink

First of all, as always, we access the lab:

Initial view of the lab with search bar

Once we are in, we see a search bar. So let’s search for anything:

Test search in the search bar

Source code showing innerHTML of the span tag

If we look closely, what we searched for is reflected on the website. And if we right-click and view the part of the source code where it is located, we can see that it is stored in the innerHTML of the <span> tag.

Knowing this, we can try to use a payload in the search that is specially designed to escape from this tag and execute JavaScript code. For example, we will use the following payload:

  • </span><img src=/ onerror=alert(1) />//

XSS payload inserted in the search bar

JavaScript alert executing successfully

When searching for it, we can see that the payload is successfully executed. We went from:

  • <span id="searchMessage">hola</span>

to:

  • <span id="searchMessage"></span><img src=/ onerror=alert(1) />//</span>

This way, by achieving this execution, we successfully solve the lab:

Lab solved successfully

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page