Day 4: DOM XSS in innerHTML sink using source location.search: Zero to Hero Series

The blog discusses a lab where the objective is to identify a DOM XSS in innerHTML vulnerability in order to inject a script in the search field.
The search field does not appear to accept any parameters but inspection of the code shows that it is possible to inject data directly into the HTML element with the id “searchMessage” which is susceptible to JavaScript injection.
The blog explains that whilst this opportunity for injection is present, it is not possible to inject a script and have it executed.
This is due to security features in the browser that prevent the execution of scripts injected via the innerHTML method.
However, the blog explains that it is still possible to inject an image tag with a data attribute and an onerror function that will trigger a pop-up.
The blog then goes on to explain that the reason this works is due to the fact that the onerror function is executed as soon as the image file cannot be found (as there is no file with the label “11”) and this allows the attacker to get around the browser security features.

Fast Feed