Burp Suite User Forum

Login to post

Lab: DOM XSS in document.write sink using source location.search inside a select element

Giulio | Last updated: Jul 19, 2021 02:29PM UTC

Hello, i have a very simple question regarding this lab, I'm not really sure why my payload worked. The source-sink of this DOM based xss is the GET param `storeId` and can be summarized here: var store = (new URLSearchParams(window.location.search)).get('storeId'); if(store) { document.write('<option selected>'+store+'</option>'); We're writing an HTML tag <option> with our value inside. I tried some isolated value, like sending a single '>' or '<' and they get HTML-Encoded. However (and here starts my question) if i send as payload the following string (w/out ") "Blabla</option><script>alert()</script>" I was able to obtain this html result <option selected="">Blabla</option> <script>alert()</script> What happened? Why my >< are no longer escaped? How was I able to exit the option tag and add my own? Also, the 'extra' </option> tag disappeared.

You need to Log in to post a reply. Or register here, for free.