10) DOM XSS in document.write sink using source location.search inside a select element

Locate possible injection points

As usual the first step is to analyse the application, let's open the debugger in the stock checker page and locate scripts

and we have an interesting script that takes the urlSearchParam from the url using window.location sink and write it to the DOM using document.write

this is the html code when the stockerId urlSearchParam is not defined yet

if we add in the urlSearchParam storeId=test

https://0a30000803cd3ef685eb0b790083001d.web-security-academy.net/product?productId=4&storeId=test

the html code will be like this

so now that we know the injection point we need to get out of the option and select tags by enclosing them respectively and then add the xss payload that will trigger the alert

https://0a30000803cd3ef685eb0b790083001d.web-security-academy.net/product?productId=4&storeId=</option></select><img src=x onerror=alert(1)>

and we have solved the lab

Previous9) Reflected XSS into a JavaScript string with angle brackets HTML encoded Next11) DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encoded

Last updated 1 year ago

Was this helpful?