PortSwigger-Writeups

Lab: DOM XSS in document.write sink using source location.search

Difficulty: Apprentice

Vulnerability: DOM-based Cross-Site Scripting (XSS) via document.write

Lab Link: https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink

1. The Goal

The objective of this lab was to exploit a DOM XSS vulnerability found in the search query tracking functionality.

My goal was to identify where user input was being written into the DOM, understand the specific context (inside an HTML attribute), and craft a payload to break out of that attribute to execute the alert() function.

2. Reconnaissance

I started by entering a generic string (test123) into the search bar.

I inspected the page source to see where this string appeared. I found it inside an <img> tag that looked like a tracking pixel.

1 1 1

2 2 2

3 3 3

We can notice that this specific line of code directly accepts the user input without doing any input validation checks which could allow the malicious users to execute dangerous functions.

<img src="/resources/images/tracker.gif?searchTerms=test123">

3. Exploitation

The exploitation for this vulnerability is to be able to escape from the above line of code and also escape the img tag,once we escape from this, we can run our own dangerous functions or in this case execute the alert(1)

The complete function response from the server which was the vulnerable sink is as follows:

6 6 6

function trackSearch(query) {
  document.write(
  '<img src="/resources/images/tracker.gif?searchTerms='+query
  +'">');
}
var query = (new URLSearchParams(window.location.search)).get('
search');
if(query) {
  trackSearch(query);
}

The web application’s search functionality accepts the input directly from the user controlled input space.

var query = (new URLSearchParams(window.location.search)).get('
search');

This accepts the input from the URL after the search parameter. Here, we can input our payload.

And the sink where our input gets written is this specific line of code

document.write('<img src="/resources/images/tracker.gif?searchTerms='
+query+'">');

We can try to bypass this by using a payload like this

Payload: "><script>alert(1)</script>

And we successfully exploited the vulnerability which exists in the web application

4 4 4