Home/ Questions/Q 7082645
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T07:04:48+00:00

I’ve been trying to use this code in some XSS research I am conducting.

  • 0

I’ve been trying to use this code in some XSS research I am conducting. I wish to spawn an iframe on a vulnerable page, with the text of my choosing. If I take the below code and put it in html tags and browse to it, then the iframe is created as expected with the text. However, if I try to inject the code into my test surface (damn vulnerable web application), the iframe window is spawned but no text is produced. Can anyone tell me what’s happening here and if there is a way to fix it? 

<script type="text/javascript">

    function populateIframe() {
        var ifrm = document.getElementById('myIframe');
        ifrm = (ifrm.contentWindow) ? ifrm.contentWindow : (ifrm.contentDocument.document) ? ifrm.contentDocument.document : ifrm.contentDocument;
        ifrm.document.open();
        ifrm.document.write("hello world!");
        ifrm.document.close();
    }
</script>
<body onload="populateIframe();">
<iframe id="myIframe"></iframe>

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Try closing your <script> tag.

    If that doesn’t help, it’s possible that populateIframe() is not being called.

    Without knowing your situation exactly, I venture that the vulnerable page already has a <body> element that’s interfering with your second one’s wanting to load..not precisely sure what happens when there are 2 body tags. If this is the case, you might remove the extra body tag and replace the iframe with:

    <iframe id="myIframe" onload="populateIframe();"></iframe>

    Then your JS will be called when the iframe is done being added to the DOM.

    • 0