Lab: DOM XSS in document.write sink using source location.search inside a select element
Solution
- View product detail page.
- Inspect element on the check stock feature.
- Notice that we any javaScript code that use window.location.search and get the value of
storeId. - Assign payload to url query like this
?productId=1&storeId="></select><img%20src=1%20onerror=alert(window.location)>