This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Testing for DOM-based Cross site scripting (OTG-CLIENT-001)"

From OWASP
Jump to: navigation, search
(responded to the question)
 
(No difference)

Latest revision as of 12:01, 5 August 2014

I've now tried this PoC code local and remotely without any receiving any alert box:

<script>
document.write("Site is at: " + document.location.href + ".");
</script>

I've tested this in both FF3, IE7 and IE5. Can anyone explain why this simple PoC won't work?


  • I realize this a is a very old question, but I wanted to point out that the script there will not produce an alert box. That script is only writing to the page with the document.write function. The alert box comes into play by appending the #<script>alert('xss')</script> to the vulnerable pages URL (as the article mentions).