LinkedinGithub

5) DOM XSS in jQuery anchor href attribute sink using location.search source

Clicking on the Submit feedback link on the main page of the blog leads to the path /feedback?returnPath=/

and now open the developer tools and taking a look at all the scripts inside the client side files we find an interesting script that maybe vulnerable to DOM XSS since its using windows.location source

the code inside the script tag is dynamically updating the "href" attribute of an HTML element with the ID "backLink" (which is the one contains the text Back => <a id="BackLink">Back</a>) based on the value of the "returnPath" query parameter in the URL. This might be used to create a link that, when clicked, takes the user back to a specific page indicated by the "returnPath" parameter.

so if the returnPath=/xxxx then the html element will become <a id="BackLink" href="/xxxx">Back</a>

and if we inspect the back button

let's put a random string in the urlSearchParam returnPath

so we can exploit this by injecting a payload inside the a tag href by putting the payload in the urlSearchParam returnPath

searching in the portswigger cheat sheet for payloads that works in an href

we find this

click enter and then click on the button back so the payload gets executed

and we have solved the lab

Previous4) DOM XSS in innerHTML sink using source location.searchNext6) DOM XSS in jQuery selector sink using a hashchange event

Last updated

Was this helpful?