DOM XSS in document.write sink using source location.search

https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink

Let's insert the following payload in the search field:

test_payload

We can now open the developer tools and search our payload.

We can see that our payload has been inserted in the <img> tag more specifically, it has been appended to the source of the image.

Right above that we can see a <script> tag which includes the script responsible for the DOM manipulation:

function trackSearch(query) {
    document.write('<img src="/resources/images/tracker.gif?searchTerms=' + query + '">');
}
var query = (new URLSearchParams(window.location.search)).get('search');
if (query) {
    trackSearch(query);
}

The trackSearch() function takes a query parameter and writes an image tag to the document, where the src attribute includes the search terms.
The query variable is then assigned the value of the 'search' parameter from the URL using URLSearchParams.
If the 'search' parameter exists in the URL, the trackSearch() function is called with the obtained query.

Now that we know how the DOM manipulation works, we can insert our final payload into the application which will generate an alert.

"><svg onload=alert(1)>

We have solved the lab.

Last updated 2 years ago