2

I am learning XSS for a CTF competition. I have a problem. I was trying to show an alert on my own webpage when I fill <script>alert(1)</script> into the input field on my webpage.

    <html>
    <head>
     <script>
      function c(){
       var inp = document.getElementById("myname");
       var elements = document.getElementsByClassName("hello");
       elements[0].innerHTML = inp.value;
      }
     </script>
    </head>
     <body>
      <div class="hello">Hello world</div>
    
      <input id="myname">
      <button onclick="c()">submit</button>
     </body>
    </html>

Expected output on filling <script>alert(1)</script> on the webpage- An alert Actual output - Nothing happens. The text "Hello world" also goes away.

I have seen a few videos on youtube where they try this trick on forms where HTTP request is being sent. However, why does it not work in this case?

P.S. - I am a beginner in this topic so if the information provided in the question is insufficient , please clarify in comments.

user185887
  • 643
  • 6
  • 18
  • 3
    Try entering `` in the input box – VLAZ Jun 18 '20 at 21:09
  • @VLAZ That doesn't mean that Stack Overflow is XSS Vulnerable, right ? :rofl: – Alex Kordatzakis Jun 19 '20 at 08:12
  • 1
    @AlexKordatzakis the stack snippets execute whatever code you give them. There is *some* protection but it's mostly an artefact of how the snippets are executing, as opposed to intentional feature. Although there *are* some security features and they do sometimes interfere with legitimate attempts to showcase something. If the snippets were protected from injecting code they'd be quite useless as they would simply not run any code. – VLAZ Jun 19 '20 at 08:43
  • Thanks for the explanation! But, I mean.. I don't think a website like S.O. would be XSS Vulnerable.... At least not with that easy payloads like the one you mentioned...! Haahah. – Alex Kordatzakis Jun 19 '20 at 12:45

0 Answers0