You are currently viewing DOM XSS in document.write sink using source

DOM XSS in document.write sink using source

Introduction to DOM XSS in document.write sink using source

Cross-Site Scripting (DOM XSS) is a type of vulnerability in which an attacker injects malicious code into a web page’s Document Object Model (DOM), which is subsequently executed by the victim’s browser. “DOM XSS in document.write sink using source,” as you indicated, refers to a specific scenario in which the document.write function is utilized as a potential vulnerability.

Lab Solutions | Practical Work Time DOM XSS in document.write sink

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from, which you can control using the website URL.

To solve this lab, perform a cross-site scripting attack that calls the alert function.

Stepwise Solution of the lab:-

After accessing the lab you can see there’s a search functionality (search box). We’ve already discussed it in the previous article.

DOM XSS in document.write sink using source

Let’s search for anything to understand the code inside of it via ‘view-source’.

DOM XSS in document.write sink using source

Here, you can see the search functionality has been made by the h1 tag. So let’s give it a try with a simple XSS payload.

DOM XSS in document.write sink using source

As you can see here the <script> tag doesn’t work. they are rendered as literal text and not interpreted as HTML or script code. That’s why it displayed without properly decoding. In this kind of scenario let’s use the brain. And put this payload for DOM XSS.

"><svg onload=alert(1)>
DOM XSS in document.write sink using source

Have a look, BOOM! we’ve successfully solved this lab. In the next article, we will explore more about DOM cross-site scripting (XSS) and its types also that can be performed in real-world web application pen-testing.

I hope you had loved reading this article after you had completed this article we highly recommend you to study the next article: DOM XSS in document.write sink using source, please don’t forget to leave a comment over here and share it with your friends as well, Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.


What is web security?

Website security refers to protecting a website or web application from cyberattacks, unauthorized access, or other security threats.

What is web application security?

Web application security means protecting a website from cyberattacks. These attacks may include vulnerabilities such as SQL injection, XSS, file inclusion, and others.

Which of the following is a good security practice for web browsing?

It is always a good practice to use an up-to-date browser with timely updates. Keep your browser plugins up-to-date, avoid malicious websites and links, and always enable 2-factor authentication while avoiding clickjacking.

How to find someone’s social security number on the dark web

Searching for someone’s social security number or credit card information on the dark web is illegal and unethical. It is important to always avoid such activities and protect yourself and others from cyber threats.

Leave a Reply