Create an simple XSS situation

Question

I want to create an simple XSS. Below is my code

<body> 
    <script>
        function update(){
            const message = document.getElementById("message").value;
            document.getElementById("show_message").innerHTML = message
        }
    </script>
    <h1 class="title">Cross-Site Scripting</h1>
    <div class="input">
        <input type="text" id="message"/><br/>
        <button type="button" onclick="update()">submit</button>
    </div>
    <hr/>
    <div id="root">
        You typed : 
        <span id="show_message">
        </span>
    </div>
</body>

Then I tried to type in <script>alert(1);</script>.But it didn't work.
Where's the problem?

`.innerHTML` does not execute code within ``, consider using `document.write()` to execute it — Nick Parsons, Nov 10 '22 at 10:01

score 2 · Accepted Answer · answered Nov 10 '22 at 10:00

2

The script tag is not going to run because the browser is not going to let you do that. It is EXACTLY there to prevent such XSS attacks.

Anyway, if you want to see it run you can check other answers:

If you just want an input that can run, create one using img

<image/src/onerror=alert(8)>

List

Codepen Demo

answered Nov 10 '22 at 10:00

Tushar Shahi

16,452
1
18
39

1

yeah I've tried img tag so I was pretty confusing. now I got it. thx for your help – Warren Hogan Nov 10 '22 at 10:58
1

No worries. Feel free to accept the answer to complete the question – Tushar Shahi Nov 10 '22 at 15:52

馬料水碼農 · Answer 2 · 2022-11-10T10:23:13.620

1

There is nothing wrong with your code! Are you using Chrome? Chrome now uses Trusted Types for DOM Manipulation. So it automatically protects you from this simple XSS attack.

By the way, if you want to try more XSS attacks, I recommend you play with the seedlab.

edited Nov 10 '22 at 10:23

answered Nov 10 '22 at 10:15

馬料水碼農

161
10

yeah I'm using Chrome. thx for your help and information – Warren Hogan Nov 10 '22 at 10:59

Create an simple XSS situation

2 Answers2