Paweł Adamski Paweł Adamski - 6 months ago 23
Javascript Question

Failed DOM-based XSS. Inserting script throght innerHTML

I wanted to show my students example of DOM-base XSS attack. I thought that inserting malicious script by innerHTML will by enough. But to my surprise when I insert script it seems to be not invoked.

Example is here https://jsfiddle.net/vo9baffu/6/

example


My question: is it possible to do DOM-based XSS attack in a way presented in my example. If not then way and what should I change?

BTW.
If you know some good examples of DOM-based XSS please post in comment.

Answer

Briefly: You can't make a DOM-based XSS attack in the way presented in your example.

You have to include jQuery in your HTML and use the html() method instead. This will will accomplish exactly what you ask for, because the html() method will evaluate the code embedded in the script tag.

With pure JavaScript, you can't make an XSS attack, because the script you insert will not execute in most cases. That happens, because the inline script only executes when the original page is parsed.

You can show your students an XSS attack by using an img tag and an error event as shown below:

<img src="whatever.png" onerror="alert('XSS')" />

as shown in this fiddle .