DOM XSS in innerHTML Sink Using Source location.search

2. Open the Burp Browser and enable to Burp DOM Invader.

3. Open the developer tools and DOM Invader tab.

4. Copy the canary, then inject the canary to the searchBlog field.

5. Examine the following output and observe that your canary is in the element.innerHTML sink. Moreover, there is nothing prevent you to inject a XSS payload.

6. Remember the information about the inner.HTML sink, according to that modern browsers are not allowing to use script tags and svg tags inside inner.HTML sink. However, it might be possible to use img tag in order to deliver a successfull XSS attack.

7. Inject the following payload to the searchBlog field and the lab should have been solved.

Related posts:

But I believe that if you are brave enough to say last Goodbye Allah give you a welcome back hello and also new Hello’s. The Journey that we start with Companion, determination, Faith, Happiness, Joy…

Too much of a good thing can be too much.. “Eve was too wild” is published by Ali Wyles in little love letters.

Gorilla update. The gorilla is now able to move normally. He is placing both legs evenly, and using his upper limbs as expected for his species..