The JavaScript utility functions used on this page, in particular the URLSearchParams interface, might not work in all browsers: see
the list of browsers that support it.
The fragment of HTML below uses JavaScript in combination with
the DOM to retrieve the parameter name from the
URL to include include it in the content of the page. If you
change the value
of the parameter name, say from
'John' to 'Maria', the webpage show change.
Hello
!
Welcome to this webpage.
You can now try to inject HTML mark-up tags, or even scripts, in
the parameter name.
For instance, try the links below:
Alter the URL to change the effect of the script.
Or see if you enter a name followed by a script, or
multiple scripts.
Send yourself an email with one of these XSS links, and see if your
email client strips suspicious scripts from URLs
inside emails when you click them.
If it does, you could try to use a URL-shortener,
such as https://tinyurl.com,
to create a abbreviated URL will hide any script tags
from the email client. This will also prevent people
from seeing the suspicious script tags inside the link
before they click on it.
If you're curious to try out some fancier JavaScript features: you could inject XSS which opens tabs in the victim's browser. See demo_DOM or JS_via_console for examples of JavaScript that opens new tabs.
Note that the DOM-based cross-site scripting on this page is
no threat to our web server: you are simply injecting
JavaScript that you are running client-side in your own
browser. The script is sent to the server, but the server
does nothing with it: the server just returns a fixed HTML
page, and it is only when your browser renders this page, and
executes the JavaScript inside, that the payload in the
name parameter 'denotates'.
A typical XXS injection via the DOM will not be so simple as
on this page.
There may be many places where an attacker could try to insert
malicious input. Here it is done via URL parameters, but it
could be done via any input field to the web
application.
If inputs supplied by attacker are passed back and forth between
client and server, they may end up being being HTML- or
ULR-decoded, which may prevent them from triggering as
scripts. In fact, for this page, the name
parameter in the URL is URL-encoded. Normally this would
prevent it from being executable JavaScript, as
<script> URL-encodes to
%3Cscript%3E. However, the JavaScript library
function we use to retrieve the parameter values -- the
function get of the class
URLSearchParams -- is kind enough to automatically
URL-decode data for us ;-)
If the JavaScript inside this webpage would
URL- or HTML-encode parameters before inserting them
in the HTML then a simple DOM-based XSS is no longer
possible. For instance, the URL-encoded name in
the current URL is
.