DOM XSS in jQuery anchor href attribute sink using location.search source
https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink
Last updated
https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-jquery-href-attribute-sink
Last updated
Let's click on the Submit Feedback
button.
On the Submit Feedback
page, we can open the developer tools and inspect the Back
link.
We can see that it is an <a>
tag with the backLink
ID and href="/"
.
Right below it, we can see the script which is responsible for setting it's href
attribute.
$(function() {...})
: This is a shorthand for $(document).ready(function() {...})
, which ensures that the code inside the function is executed when the DOM is fully loaded.
$('#backLink')
: Selects the HTML element with the ID 'backLink'.
.attr("href", ...)
: Sets the 'href' attribute of the selected element.
(new URLSearchParams(window.location.search)).get('returnPath')
: Retrieves the value of the 'returnPath' parameter from the URL using the URLSearchParams
API.
Now that we know how the script works, we can set the returnPath
parameter in the URI to the following:
Let's inspect the Back
link to see if our payload has been inserted.
Now if we click on the Back
link, the Javascript that has been inserted in the href
attribute will be executed.
We have solved the lab.