DOM XSS in document.write

DOM XSS in document.write sink using source location.search| PortSwigger | Application Security | OWASP Top 10 | Shiv Kumar

What is cross-site scripting (XSS)?

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

DOM-based cross-site scripting

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

Access The Lab

The search feature on this page used the URL parameter after ?search= as input and displayed it using JavaScript's document.write function, making it vulnerable to DOM-based XSS.

I entered a string like test in the search box and observed how it was reflected on the page. Then, I crafted the XSS payload to break out of the context and trigger JavaScript execution.

Payload: ">

I placed the payload in the search box

Burpsuite capture GET request

Forward The request

After loading the page, the payload executed and a JavaScript alert popup appeared, which confirmed DOM XSS and completed the lab.

This demonstrates a DOM-based XSS attack, where the application's JavaScript code writes unsanitized data from the URL to the DOM, allowing arbitrary script execution.

Thanks For Reading