In this post we will walk step by step through how to solve DOM XSS in document.write sink using source location.search on PortSwigger. This lab’s difficulty is Apprentice and it is the third lab in the Cross-Site Scriping labs on Portswigger.
To start the lab click the ‘Access the Lab’ button.
When we begin the lab we will be presented with a blog featuring a search field and a few blog posts. Don’t worry if the content differs from the screenshot; PortSwigger Labs can modify the content each time the lab is initiated.
To start our test let’s begin by using the ‘Search’ field. We can type anything into this field to test and then click the ‘SEARCH’ button. This example we can use asd123. This action will load the page with ‘what we typed’ being reflected back and displayed on the page.
document.write function to write content to the DOM and has the capability to process user input from
Understanding this, we can exploit the
document.write function and
Using the payload
location.search and then be interpreted by
We should examine the HTML source code. After the img tag with the lone double quote we discover
<script>alert(1)</script>. This is a result of our previous escape of the img tag’s src attribute using “>.
We should also take note of the payload reflected in the URL.
That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!