Dom XSS In Jquery Anchor Href Attribute Sink Using Location.Search Source

Objective

jQuery and attr() function

Using jquery’s $ selector and attr()

Click to see more detail information!

Examining the source code

  1. Open the lab instance, after the landing page is loaded click to submit feedback button(at top right).
  2. Observe that in the searchbar there is a parameter that called returnPath, keep that in my mind.
  3. View the page source and realize jquery’s $ selector and attr() function is used in order to receive returnPath parameter. Let’s break down the above code snippet:
    • $(‘#backlink’) refers to the anchor tag which has id equivalent to ‘backlink’.
    • attr() function takes 2 arguments, first one is the attribute name and the second one is the value to that attribute.
    • In this case value is returnPath parameter which comes from the window.location.search sink.
     Sink: jquery attr()
     Source: location.search
    
  4. Open the Burp Browser and enable to Burp DOM Invader.
  5. Open the developer tools and DOM Invader tab.
  6. Copy the canary, then use it as value of the returnPath parameter.
  7. Search for the canary.

Hence, the canary is in the anchor tag and between the double quotes as a value, it is not possible to use script tags.However, it might be possible to use inline javascript.

Payload

?returnPath=javascript:alert(document.cookie)

Inject the above payload and the lab should have been solved.

When user clicks to the Back button alert is gonna pop up