This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Testing for DOM-based Cross site scripting (OTG-CLIENT-001)

From OWASP
Revision as of 20:12, 29 July 2010 by Matt Heckathorn (talk | contribs) (responded to the question)

Jump to: navigation, search

I've now tried this PoC code local and remotely without any receiving any alert box:

<script>
document.write("Site is at: " + document.location.href + ".");
</script>

I've tested this in both FF3, IE7 and IE5. Can anyone explain why this simple PoC won't work?


  • I realize this a is a very old question, but I wanted to point out that the script there will not produce an alert box. That script is only writing to the page with the document.write function. The alert box comes into play by appending the #<script>alert('xss')</script> to the vulnerable pages URL (as the article mentions).