Talk:Testing for DOM-based Cross site scripting (OWASP-DV-003)

From OWASP
Revision as of 15:12, 29 July 2010 by Matt Heckathorn (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

I've now tried this PoC code local and remotely without any receiving any alert box:

<script>
document.write("Site is at: " + document.location.href + ".");
</script>

I've tested this in both FF3, IE7 and IE5. Can anyone explain why this simple PoC won't work?


  • I realize this a is a very old question, but I wanted to point out that the script there will not produce an alert box. That script is only writing to the page with the document.write function. The alert box comes into play by appending the #<script>alert('xss')</script> to the vulnerable pages URL (as the article mentions).