This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Talk:Testing for DOM-based Cross site scripting (OTG-CLIENT-001)"
From OWASP
(responded to the question) |
m (Andrew Muller moved page Talk:Testing for DOM-based Cross site scripting (OWASP-DV-003) to Talk:Testing for DOM-based Cross site scripting (OTG-CLIENT-001): Align with Common Numbering) |
(No difference)
|
Latest revision as of 12:01, 5 August 2014
I've now tried this PoC code local and remotely without any receiving any alert box:
<script> document.write("Site is at: " + document.location.href + "."); </script>
I've tested this in both FF3, IE7 and IE5. Can anyone explain why this simple PoC won't work?
- I realize this a is a very old question, but I wanted to point out that the script there will not produce an alert box. That script is only writing to the page with the document.write function. The alert box comes into play by appending the #<script>alert('xss')</script> to the vulnerable pages URL (as the article mentions).