XSS 09
Bookmarked!This exercise is one of our challenges on Cross-Site Scripting
In this example, you will explore a DOM-based XSS vulnerability on a static page. The JavaScript code on the page retrieves the anchor portion of the URL and writes it into the page using document.write
without proper escaping. This behavior can be exploited to execute arbitrary JavaScript code by manipulating the URL.
The lab highlights how modern browsers encode the URL fragment, necessitating the use of decodeURIComponent
to decode the fragment before writing it to the page. This example illustrates how older browsers were susceptible to such attacks even without decoding, and how the vulnerability persists with the use of decodeURIComponent
. By understanding the source code and observing the rendered HTML, you can craft a payload that demonstrates the XSS vulnerability.