0

I am trying to inject a script to create an xss. My html input tag look like:

<div>
    User name:
</div>
<div>  
    <input type="text" id="uname" onblur="unOut()">
</div>
<div id="unamewar" style="display:none;color:red; background-color:#ffe4b5">  
</div>

And my javascript looks like: 

function unOut(){
    var x;
    x = document.getElementById("uname").value;
    if(x != ""){
        document.getElementById("unamewar").innerHTML = x;      
}

So here when I try to inject a html tag say, "< h1 > Hai < /h1 >", it works as an html injection (i.e.) 'Hai' is displayed as a header in the div unamewar. But when I try the same with a script tag, for example, "< script >alert("Hai);< /script >", it doesn't get executed. I would like to know how to inject a script as an xss in my code.

Gokul
  • 279
  • 1
  • 2
  • 12
  • I think you shouldn't do something like that, because it's not quite clean... Maybe look for require.js or rethink your architecture. But if it's for the challenge of doing such a thing, maybe you should try to create a .js file. Inside of it, a function with what you want to do. Then create a script element, specify its src (yourfile.js), attach it where you want in the body. The trick is to add an event listener on "load", and call your function inside your file as a callback – Zyigh Dec 26 '17 at 13:19
  • Possible duplicate of [Can scripts be inserted with innerHTML?](https://stackoverflow.com/questions/1197575/can-scripts-be-inserted-with-innerhtml) Script elements aren't executed when inserted with innerhtml, but you can use onload of an img tag instead. – fgb Dec 26 '17 at 16:35
  • Yes, they are almost the same, but it doesn't solve my problem. I am learning how to create an xss. So to test it, I created the above form. So if an attacker is to inject a script in the input text, I want to know if that can be done and how to do it. – Gokul Dec 27 '17 at 05:21
  • 1
    Input `` – fgb Dec 27 '17 at 11:45
  • Thank you, it is working – Gokul Dec 28 '17 at 05:06

0 Answers0