3) DOM XSS in document.write sink using source location.search

the search term is included on the result page.

A simple XSS attempt fails:

it shows that a javascript takes the search term out of the URL and writes it into an img-tag for some type of tracking:

Using the browser tools, I can inspect the resulting HTML. It is visible that my search term is embedded without any apparent safeguards:

Of course, the script tags are within a string here, so they are harmless. However, if I can terminate the string by injecting double quotes, then I can manipulate the resulting HTML freely.

The malicious payload

Injecting "><script>alert(1)</script> results in the following HTML:

and we have solved the lab