Our community has moved to Discord. Join us there!
Cybr.com/Discord
These forums are still up for historical purposes.

Home Page Forums General Discussions Cybersecurity My XSS attempt doesn’t seem to work on a simple HTML page I made

Tagged: 

  • Cybersecurity

    My XSS attempt doesn’t seem to work on a simple HTML page I made

    Posted by techblazes on January 15, 2022 at 12:30 pm

    Hello everyone,

    I wrote a small app with HTML and JS to try and replicate the effect, however the script is not being executed.
    There’s no input sanitization whatsoever.

    Could somebody have a look at this codepen and let me know what I am doing wrong?

    https://codepen.io/techblazes/pen/oNeBPNz

    Christophe replied 2 years, 3 months ago 2 Members · 1 Reply
  • 1 Reply

  • Christophe

    Administrator
    January 16, 2022 at 12:37 am

    Hey @techblazes ! Answered in Discord but will also answer here for anyone else wondering.

    Your sample code is vulnerable and does work with certain payloads.

    .innerHTML doesn’t allow for scripts to be executed, so it actually prevents XSS payloads that use script tags (like <script>alert(1)</script>)

    It does not prevent XSS payloads that make use of onload events, like: <img src=x onerror=alert();>

Log in to reply.

Start of Discussion
0 of 0 replies June 2018
Now

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts

Please allow a few minutes for this process to complete.

Report

You have already reported this .