Solving PortSwigger’s lab: DOM XSS in document.write sink using source location.search inside a select element

The following is my documentation on PortSwigger’s Academy labs.

End goal: Perform a cross-site scripting attack that breaks out of the select element and calls the alert function

What you’ll need:

  • A browser able to inspect page elements (like Firefox)
  • A basic understanding of JavaScript and HTML

<1>

First, we navigate to a product page in the lab, right-click the “Check stock” button on the bottom of the page, and inspect the element, keeping an eye out for any script tags.

Upon inspecting the page’s code we find this:

The JavaScript extracts a storeID from the location.search source. Following that, it then uses document.write to create a new option in the select element. This element is then used for the stock checker functionality. Further, we see the storeId options underneath a select tag. Keep this in mind as this will be our key to breaking out later.

<2>

We are going to play around with storeId to not only get a better understanding of the code but also to see if we have any limitations in influencing the page. We begin by searching for a random query in our URL box (in this case I used “1nfornography”, because, ego) by appending the URL with an &, followed by productId=1nfornography

Turn this…
…into this.

After letting the page load, we can now see that “1nfornography” is listed in the drop-down list. Groovy, huh? Let’s dig deeper by right-clicking the drop-down once more to inspect the element and see what happened in the back end.

Now that we know that we can at least inject a string, we can now proceded to craft a payload to try and solve the lab.

-<3>-

So, what do? Yes, what do indeed! Remember the <select name=”storeId”> tag? Everything we try to inject will be trapped in there unless we find a way to escape it. That means that if we just substitute “1nfornography” with an alert script in our previous payload, that script will essentially be neutralized. So, how do we do that? Simple: we’ll just close out that select tag in our new payload! Now when we append &storeId=1nfornography in our URL by adding ></select><img%20src=1%20onerror=alert(1)>

Send that payload and we get our alert, which means that we have solved the lab!

We can see our payload in action by inspecting our element once more, this is not a requirement, but it is still a good learning opportunity.

We can see our </select> tag right under 1nfornography allowing our script to escape and run.

Notes

The payload in this lab was similar to the one that we used in another DOM XSS lab. Both of these payloads took advantage of an HTML IMG tag erroring out with an invalid SRC. Once the error occurs, we take advantage of that with onerror, allowing us to prompt an alert.

I used the following resources in this exercise:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Filed under: Cybersecurity,Pentesting,PortSwigger Academy,XSS attack - @ December 22, 2023 11:34 pm