5) DOM XSS in jQuery anchor href attribute sink using location.search source
Previous4) DOM XSS in innerHTML sink using source location.searchNext6) DOM XSS in jQuery selector sink using a hashchange event
Last updated
Was this helpful?
Last updated
Was this helpful?
Clicking on the Submit feedback link on the main page of the blog leads to the path /feedback?returnPath=/
and now open the developer tools and taking a look at all the scripts inside the client side files we find an interesting script that maybe vulnerable to DOM XSS since its using windows.location source
the code inside the script tag is dynamically updating the "href" attribute of an HTML element with the ID "backLink" (which is the one contains the text Back => <a id="BackLink">Back</a>) based on the value of the "returnPath" query parameter in the URL. This might be used to create a link that, when clicked, takes the user back to a specific page indicated by the "returnPath" parameter.
so if the returnPath=/xxxx then the html element will become <a id="BackLink" href="/xxxx">Back</a>
and if we inspect the back button
let's put a random string in the urlSearchParam returnPath
so we can exploit this by injecting a payload inside the a tag href by putting the payload in the urlSearchParam returnPath
searching in the portswigger cheat sheet for payloads that works in an href
we find this
click enter and then click on the button back so the payload gets executed
and we have solved the lab
