3) DOM XSS in document.write sink using source location.search
the search term is included on the result page.
A simple XSS attempt fails:
it shows that a javascript takes the search term out of the URL and writes it into an img-tag for some type of tracking:
Using the browser tools, I can inspect the resulting HTML. It is visible that my search term is embedded without any apparent safeguards:
Of course, the script tags are within a string here, so they are harmless. However, if I can terminate the string by injecting double quotes, then I can manipulate the resulting HTML freely.
The malicious payload
Injecting "><script>alert(1)</script> results in the following HTML:
