This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:Testing for DOM-based Cross site scripting (OTG-CLIENT-001)

Jump to: navigation, search

I've now tried this PoC code local and remotely without any receiving any alert box:

document.write("Site is at: " + document.location.href + ".");

I've tested this in both FF3, IE7 and IE5. Can anyone explain why this simple PoC won't work?

  • I realize this a is a very old question, but I wanted to point out that the script there will not produce an alert box. That script is only writing to the page with the document.write function. The alert box comes into play by appending the #<script>alert('xss')</script> to the vulnerable pages URL (as the article mentions).