PortSwigger Lab: DOM XSS in jQuery anchor href attribute sink using location.search source

Lab: DOM XSS in jQuery anchor href attribute sink using location.search source

Observe

Open Submit Feedback page.
Right click and Inspect the web page.
Read the source code and notice that script tag inside form tag we found jQuery like this. It reads query parameter named returnPath and placed the value to href attributes in a tag with id named backlink.

<script>
	$(function() {
		$('#backLink').attr("href", (new URLSearchParams(window.location.search)).get('returnPath'));
	});
</script>

If we look at the source code again, we found that any a tag with id named backlink. In script below, the value of href attributes is / because by default if we open the web page, value of returnPath in URL is /.

<a id="backLink" href="/">Back</a>

Solution

Change the value of returnPath in URL to javascript:alert(document.cookie) like this:

?returnPath=javascript:alert(document.cookie)

Hit enter and click button "back"
The script will executed

Conclusion

After change the value of returnPath in URL to javascript:alert(document.cookie) and hit enter, value javascript:alert(document.cookie) will be assigned to href attributes and it will constructed like <a id="backLink" href="javascript:alert(document.cookie)">Back</a>. And when we click button back, it will be executed and popup will showed.

ervinismu

Explorer

PortSwigger Lab: DOM XSS in jQuery anchor href attribute sink using location.search source

Observe

Solution

Conclusion

Graph View

Table of Contents