# 6) DOM XSS in jQuery selector sink using a hashchange event

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2Fz5xT3BD9kekQGvdMwLfS%2Fimage.png?alt=media&#x26;token=af9294b3-0022-4eed-b5bd-2ee95fc01425" alt=""><figcaption></figcaption></figure></div>

looking at the home page source code reveals An interesting script that listens for changes in the URL hash and then attempts to scroll a specific blog post into view based on the hash value

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FbdFXklhzdhHc5FaRrC6I%2Fimage.png?alt=media&#x26;token=14224f6e-f033-446a-820b-ae0426764bf1" alt=""><figcaption></figcaption></figure></div>

let's try to provide some hash value in the url and see what happens

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FM9Pph9BPjJmZNynXyDGo%2Fimage.png?alt=media&#x26;token=4c1edda0-2767-48c4-95b1-7cb6338b032b" alt=""><figcaption></figcaption></figure></div>

nothing happens in the page but if we look at the console we can see that an invalid hash value (non-existing title) triggers error

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FM5SAPViWnCB3NbO8Pbbz%2Fimage.png?alt=media&#x26;token=952a2f72-6506-4aa1-affc-dbf2ff2f64c1" alt=""><figcaption></figcaption></figure></div>

so what we can do is provide an xss payload in the hash value,and to make this payload get executed we will make it execute on Error Event.

since an invalid hash value (non-existing title) triggers error so this payload will be executed

**`<img src=x onerror="alert(1)">`**&#x20;

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FytKv6t7u1G6aQep8cWGz%2Fimage.png?alt=media&#x26;token=f553d035-c911-4061-81a5-11dda2016257" alt=""><figcaption></figcaption></figure></div>

there is the exploit server that I can use to prepare and deliver a custom made page. So I can create a page including an iframe to the vulnerable page. With an `onload` event I change the fragment which in turn triggers the `hashchange` event.

### <mark style="color:blue;">Exploit</mark>

**`<iframe src="https://0a74002203903b238482b4ac00170065.web-security-academy.net/#" onload="this.src+='<img src=x onerror=alert(1)>'"></iframe>`**

**Detailed explanation of the code.**

1. `<iframe src="https://0a74002203903b238482b4ac00170065.web-security-academy.net/#">` In this line, an iframe is created and the src attribute is set to URL. The URL ends with a # symbol, which directs the target website to a section under the URL.
2. `onload="this.src+='<img src=x onerror=alert(1)>'"` the onload event is triggered when the iframe’s content is fully **loaded**. When the onload event is triggered, the this.src expression is used to modify the src attribute of the iframe. The modification aims to inject a malicious img tag into the loaded website within the iframe.

now go to the exploit server and paste the exploit in the body and then store it then deliver it to the victim (make sure you execute print() to solve the lab)

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2F2F5HyEWdJGCWl2CdTfsb%2Fimage.png?alt=media&#x26;token=855de172-c199-4777-b161-fdb1d9f7dee9" alt=""><figcaption></figcaption></figure></div>

and we have solved the lab

<div align="left"><figure><img src="https://1410593648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYI2noEqPw69jd0hR7Prp%2Fuploads%2FdxCAZc9c9oSOyWKYQBTH%2Fimage.png?alt=media&#x26;token=355ad5d6-cdfe-4cb0-aa5e-bfea9334f66d" alt=""><figcaption></figcaption></figure></div>