July 12, 2026
DOM XSS in document.write sink using source location.search inside a select element
Inspecting the source code our source is location.search specifically the storeId URL parameter. Our sink is document.write() which takes…
By CyberForge
1 min read
Inspecting the source code our source is location.search specifically the storeId URL parameter. Our sink is document.write() which takes the storeId value and writes it directly into the DOM with zero sanitization.
Looking at the page itself every product has a stock checker a dropdown that lets you select a store location.
Modifying the URL confirms this: /product?productId=1&storeId=Paris. The drop down automatically selects Paris, proving storeId from the URL is being read and written directly into the page via document.write().
Since document.write() renders everything as raw HTML with nothing blocked, injecting an HTML payload directly into storeId will execute. The storeId parameter doesn't appear in the default request we discovered it by reading the JS source code which revealed the app was listening for it.
Final payload:/product?productId=1&storeId=
storeId passes our <picture> <source media="(max-width: 768px)" srcset="/img/medium/700/1*TiE_wBsHPD5rlIXwgAgYow.png 1x"> <source media="(min-width: 769px)" srcset="/img/medium/2000/1*TiE_wBsHPD5rlIXwgAgYow.png 1x"> <img src="/img/medium/700/1*TiE_wBsHPD5rlIXwgAgYow.png" alt="None" width="783" height="444" loading="lazy" data-zoom-src="/img/medium/4000/1*TiE_wBsHPD5rlIXwgAgYow.png" class="prose-image"/> </picture>