Our community has moved to Discord. Join us there!
Cybr.com/Discord
These forums are still up for historical purposes.

Home Page Forums General Discussions Cybersecurity My XSS attempt doesn’t seem to work on a simple HTML page I made

Tagged: 

  • My XSS attempt doesn’t seem to work on a simple HTML page I made

    Posted by techblazes on January 15, 2022 at 12:30 pm

    Hello everyone,

    I wrote a small app with HTML and JS to try and replicate the effect, however the script is not being executed.
    There’s no input sanitization whatsoever.

    Could somebody have a look at this codepen and let me know what I am doing wrong?

    https://codepen.io/techblazes/pen/oNeBPNz

    Christophe replied 2 years, 8 months ago 2 Members · 1 Reply
  • 1 Reply
  • Christophe

    Administrator
    January 16, 2022 at 12:37 am

    Hey @techblazes ! Answered in Discord but will also answer here for anyone else wondering.

    Your sample code is vulnerable and does work with certain payloads.

    .innerHTML doesn’t allow for scripts to be executed, so it actually prevents XSS payloads that use script tags (like <script>alert(1)</script>)

    It does not prevent XSS payloads that make use of onload events, like: <img src=x onerror=alert();>

Log in to reply.