Juicy Shop
DOM-based Cross-Site Scripting in Search
Cross-Site ScriptingA03:2021 – Injection (XSS)high
Vulnerability
The search page takes the `q` parameter from the URL and writes it into the page as raw HTML (via a dangerous raw-HTML prop). Because the value is never encoded, an attacker can craft a link containing markup such as an <iframe> or <img onerror> that executes JavaScript in the victim's browser — stealing cookies/session tokens or performing actions as the victim. The payload never touches the server, making it DOM-based XSS.
Exploit Steps
- Navigate to the search page
- In the URL, set the query param: ?q=<iframe src="javascript:alert(document.cookie)">
- If the page renders the q param directly into the DOM without encoding, the iframe executes
- Observe the alert fires — this is DOM-based XSS
Tools: browser devtools, URL bar
Mitigation & Solution
Never inject user-controlled strings as raw HTML. Use React JSX text nodes which auto-escape. Sanitise with DOMPurify only if HTML rendering is genuinely required.
Coding Challenge
Find It
File: apps/juicy-shop/src/app/(shop)/search/page.tsx
Click the line that contains the vulnerability: