Find answers, ask questions, and connect with our
welcoming community.

Home Page Forums General Discussions Cybersecurity My XSS attempt doesn’t seem to work on a simple HTML page I made

Tagged: 

  • My XSS attempt doesn’t seem to work on a simple HTML page I made

    Posted by techblazes on January 15, 2022 at 12:30 pm

    Hello everyone,

    I wrote a small app with HTML and JS to try and replicate the effect, however the script is not being executed.
    There’s no input sanitization whatsoever.

    Could somebody have a look at this codepen and let me know what I am doing wrong?

    https://codepen.io/techblazes/pen/oNeBPNz

    Christophe replied 8 months, 3 weeks ago 2 Members · 1 Reply
  • 1 Reply
  • Christophe

    Administrator
    January 16, 2022 at 12:37 am

    Hey @techblazes ! Answered in Discord but will also answer here for anyone else wondering.

    Your sample code is vulnerable and does work with certain payloads.

    .innerHTML doesn’t allow for scripts to be executed, so it actually prevents XSS payloads that use script tags (like <script>alert(1)</script>)

    It does not prevent XSS payloads that make use of onload events, like: <img src=x onerror=alert();>