0

I am trying to create a DOM based attack using a html file. The file is as follows :

<html> 
<head>
<script type="text/javascript">    
 function fun() {
 var val = document.getElementById("mytext").value;
 document.getElementById("p1").innerHTML = unescape(val);
}

</script>
</head>
<body>
<p id ="p1">Empty</p>
Give input : <input id="mytext" type="text" value="abcd" >
<input type="button" id="b1" onclick="fun()" value="Change link" >

</body>
</html>

When I pass <script>alert('hello world');</script> inside the text box and click on the button the p tag doesn't run the script. What might be the possible reason? I am learning XSS for testing our website for security.

Nishant Lakhara
  • 2,295
  • 4
  • 23
  • 46
  • you could use $("#p1").html(val) instead of plain innerHTML, which doesn't execute script tags. or, eval() the script tag contents, but then why bother at that point? – dandavis May 07 '14 at 07:07
  • possible duplicate of [Can scripts be inserted with innerHTML?](http://stackoverflow.com/questions/1197575/can-scripts-be-inserted-with-innerhtml) In other words, your testbed is just invalid. For XSS, one would use one of the techniques described in this question – CodingIntrigue May 07 '14 at 07:07
  • I changed my method to function fun() { var val = document.getElementById("mytext").value; var source = document.getElementById("p1"); source.innerHTML = val; eval(source.innerHTML); } Still it is not working – Nishant Lakhara May 07 '14 at 07:30
  • Also i think that modern browsers already have some kind of protection against xss attacks, try testing in older browsers like ie 6,7 – chyupa May 08 '14 at 07:06

1 Answers1

0

Try inserting instead. Scripts do not run when inserted into innerHTML.

Erlend
  • 4,336
  • 22
  • 25