Introduction to DOM XSS in jQuery selector sink using a hashchange event.

In DOM XSS in jQuery selector sink using a hash change event, When a web application fails to correctly verify and sanitize user-controlled input that is utilized in jQuery selectors and triggered by changes in the URL’s fragment identification, DOM XSS in jQuery selector sinks employing a hash change event happens. This gives a hacker the ability to insert and run malicious code inside the browser of a victim, which might result in illegal activities or data theft. Before utilizing user input in jQuery selectors or any other sensitive activities, it is essential to adequately verify and sanitize it in order to avoid this issue.

Lab Solutions | Practical Work Time DOM XSS in jQuery selector

This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.

To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

Stepwise Solution of the lab:-

As always, after accessing the lab, look at view-source via Dev-Tools. And Scroll down to find the JavaScript code.

I highly recommend, you to learn JavaScript at least the basics to read the code. But for this lab, I will break down for you what happening through this code.
Well, here $(window) is just an object, ‘hashchange‘ stands for the symbol ‘#’. so the first line of this code’s final result is that whenever the fragment identifier in the URL changes, the code inside the function will be executed.

Let me give you a simple example:-

Just Go to the URL section and put ‘#’ and any of the post’s titles and press on the ‘ENTER’ button.

Well here I found a post titled ‘Procrastination’ Simply copy that and put it after ‘#’. Don’t forget to go back on the top of the tab before executing. Do execute, well you may notice that it is automatically holding you to that post titled ‘Procrastination’. Right? So let’s execute a payload for cross-site scripting (XSS) on the web application.

#<img src=0 onerror='alert()'>

So, it’s Reflecting. Well now click on ‘Go to exploit server’. Here we’ve to do a simple execution process to solve this lab.

After clicking ‘Go to exploit server’, just scroll a little bit! here you will find a body section. Where you’ve to write a simple payload to solve this lab. But before solving this lab let’s see what will happen if you deliver the exploit in your own browser.

<iframe src="LINK OF THE LAB YOU'RE SOLVING + /#" onload="this.src+='<img src=0 onerror=print()>'"></iframe>

After clicking on ‘View exploit’.

Well, this is how will victim see in his browser after you execute this exploit. Now time to send this and solve the lab.

As you can see we’ve solved this lab very easily with a better understanding of what is the functionality we experienced that can perform in real web applications.

I hope you had loved reading this article after you had completed this article we highly recommend you to study the next article: Reflected XSS into attribute with angle brackets HTML-encoded, please don’t forget to leave a comment over here and share it with your friends as well, Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.

FAQS