# DOM XSS in innerHTML sink using source location.search

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2Fq01tGHUgNu9MGjiB8PCg%2F1.png?alt=media&#x26;token=653e1137-18ab-45e0-85ef-21bc7a1fe0ec" alt=""><figcaption></figcaption></figure>

Let's insert the following payload in the search field:

```
test_payload
```

We can now open the developer tools and search our payload.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FZdVUqaGs7zVmbYcYrlK3%2F2.png?alt=media&#x26;token=0146f2a6-14c0-4990-9438-f730547f7502" alt=""><figcaption></figcaption></figure>

We can see that our payload has been inserted in the `<span>` tag more specifically, it has been appended to the source of the image.

Right below that we can see a `<script>` tag which includes the script responsible for the DOM manipulation:

```js
function doSearchQuery(query) {
    document.getElementById('searchMessage').innerHTML = query;
}
var query = (new URLSearchParams(window.location.search)).get('search');
if (query) {
    doSearchQuery(query);
}
```

* The `doSearchQuery` function takes a `query` parameter and sets the inner HTML of an element with the ID `searchMessage` to the query value.
* The `query` variable is assigned the value of the 'search' parameter from the URL using `URLSearchParams`.
* If the 'search' parameter exists in the URL, the `doSearchQuery` function is called with the obtained query.

Now that we know how the DOM manipulation works, we can insert our final payload into the application which will generate an alert.

```
<img src=1 onerror=alert("1")>
```

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FZoljx8k685IzH4EVWGB5%2F3.png?alt=media&#x26;token=a17e3d36-4553-45c2-bd67-ca17c688f321" alt=""><figcaption></figcaption></figure>

We have solved the lab.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2Fnt4CwYdoMcK3jOVJdTlV%2F4.png?alt=media&#x26;token=0b341ac0-032d-48d1-9ec1-a168064d28cb" alt=""><figcaption></figcaption></figure>