DOM-based-XSS.html?name=foobar
For the demonstration, you must replace the foobar
in the URL
field of the browsers with e.q.
<script>alert('XSS!')</script>
As long as the browser didn't encode the <- und >-chars a alert box
pops up after the reload.
Listing 1.2 (Call it!):
<svg xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">
alert(1)
</script>
</svg>
Listing 1.3 (Call it!):
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">
alert("Not a SVG image, but a XSS attack!")
</script>
</svg>
<script>
function multiply(a, b) {
var c = a * b;
alert(a + " * " + b + " = " + c);
}
setTimeout("multiply = function() {alert('Hi Jack was there');} ", 10000);
</script>
<input type="button" value="7 * 7 = ?" onclick="multiply(7,7);">
Listing 1.7 (Call it!):
<script>
var originalAlert = window.alert;
function wrongAlert(message) {
output = "I report most obediently: " + message;
originalAlert(output);
}
window.alert = wrongAlert;
alert("Nothing to report!");
</script>