BurpSuite Lab – DOM XSS in jQuery anchor `href` attribute sink using `location.search` source

This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $selector function to find an anchor element, and changes its href attribute using data from location.search.

To solve this lab, make the «back» link alert document.cookie.

This is the Submit feedback functionality:

If we check the url, we can see a returnPath parameter:

https://0a1a00e703f5826ec0b1405b007b002d.web-security-academy.net/feedback?returnPath=/

This parameter is used here:

To modify the back link with the value of the parameter.

So if we change the value to a random string:

https://0a1a00e703f5826ec0b1405b007b002d.web-security-academy.net/feedback?returnPath=/12345

Now we can try to add:

https://0a1a00e703f5826ec0b1405b007b002d.web-security-academy.net/feedback?returnPath=javascript:alert(document.domain)

Now our back link will trigger the alert function.

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *