Juicy Shop

DOM-based Cross-Site Scripting in Search

Cross-Site ScriptingA03:2021 – Injection (XSS)high

Vulnerability

The search page takes the `q` parameter from the URL and writes it into the page as raw HTML (via a dangerous raw-HTML prop). Because the value is never encoded, an attacker can craft a link containing markup such as an <iframe> or <img onerror> that executes JavaScript in the victim's browser — stealing cookies/session tokens or performing actions as the victim. The payload never touches the server, making it DOM-based XSS.

Exploit Steps

  1. Navigate to the search page
  2. In the URL, set the query param: ?q=<iframe src="javascript:alert(document.cookie)">
  3. If the page renders the q param directly into the DOM without encoding, the iframe executes
  4. Observe the alert fires — this is DOM-based XSS

Tools: browser devtools, URL bar

Mitigation & Solution

Never inject user-controlled strings as raw HTML. Use React JSX text nodes which auto-escape. Sanitise with DOMPurify only if HTML rendering is genuinely required.

Coding Challenge

Find It

File: apps/juicy-shop/src/app/(shop)/search/page.tsx

Click the line that contains the vulnerability:

Fix It