DOM XSS in document.write sink using source location.search
Description
This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page. The document.write function is called with data from location.search, which you can control using the website URL.
To solve this lab, perform a cross-site scripting attack that calls the alert function.
Approach
After accessing the lab, I enabled the FoxyProxy extension to proxy all the requests through BurpSuite. While navigating the site, I intercepted the search request and sent it to BurpSuite's Repeater for further analysis:
Upon examining the response, I noticed that my input data was being used in a JavaScript function document.write:
<script> function trackSearch(query) {document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');} var query = (new URLSearchParams(window.location.search)).get('search'); if(query) {trackSearch(query);}</script>
To exploit this vulnerability, I need to escape the img tag and inject another image tag with a malicious event handler. The goal is to trigger an alert when the new image fails to load, using the onerror attribute. My payload will look like this:
Since my payload includes special characters, I need to URL encode it to ensure it is properly handled in the HTTP request. The encoded payload is:
Injecting the payload into the request URL:
By sending this request, the payload is executed by the browser, causing the onerror event to trigger and display an alert box. After sending the payload, the lab is solved as the alert box pops up, indicating that the XSS vulnerability has been successfully exploited.