June 18, 2026
PortSwigger : DOM XSS in document.write Sink Using Source location.search
In this lab, the website has a DOM-based XSS vulnerability in the search tracking function.
danar
2 min read
Lab: DOM XSS in document.write sink using source location.search This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses…
The page uses JavaScript document.write to write data into the page. The data comes from location.search, which means the value is taken from the URL query string.
The goal is to run JavaScript that calls the alert function.
SOLUTION
First, I clicked Access the Lab. After that, I was redirected to a blog website with a search feature.
Before adding the payload, I entered a random word into the search box.
Example: avhbuga
After searching, I inspected the page using Developer Tools.
The random word appeared inside an image source attribute like this:
<img src="/resources/images/tracker.gif?searchTerms=avhbuga"><img src="/resources/images/tracker.gif?searchTerms=avhbuga">
Why I Checked the
img src
I checked the img src because this lab uses document.write, and the user input is written directly into the HTML page.
By checking the HTML structure, I can know where my input is placed. In this case, the input is placed inside an HTML attribute. Because of that, the payload needs to break out from the attribute first before running JavaScript.
After knowing where the input is placed, I entered this payload into the search box:
"><svg onload=alert(1)>"><svg onload=alert(1)>Then I clicked Search.
Why This Payload Works
The payload used is:
"><svg onload=alert(1)>"><svg onload=alert(1)>The first part: ">, is used to close the existing src attribute and break out from the image tag.
Then this part: <svg onload=alert(1)> , creates a new SVG element. The onload event runs automatically when the SVG element is loaded.
Inside the onload event, there is: alert(1), This makes the browser show an alert pop-up.
The vulnerability happens because the website writes the search value into the page without proper filtering or encoding.
After the payload was submitted, the browser executed the JavaScript and showed an alert pop-up.
After the alert appeared, the lab status changed to Solved.
This lab shows how DOM XSS can happen when JavaScript writes user input into the HTML page using document.write.
By checking the HTML structure first, I found that the search input was placed inside an img src attribute. Because of that, I used this payload:
"><svg onload=alert(1)>"><svg onload=alert(1)>The payload breaks out of the attribute, creates an SVG element, and runs alert(1). From this lab, I learned that user input from the URL should not be written directly into the page without proper encoding.
Thanks for your attention.