Haft

Backlinks

DOM XSS in jQuery anchor href attribute sink using location.search source

TL;DR

Identify the submit feedback functionality and access the page. Notice the ?returnPath can be modified by user input and inserted in the href tag. Note the important of .attr from JQuery to modify the dom. Make use of the payload given in the learning resources given to solve the lab.

Learning Material

Modern web applications are typically built using a number of third-party libraries and frameworks, which often provide additional functions and capabilities for developers. It’s important to remember that some of these are also potential sources and sinks for DOM XSS.

DOM XSS in jQuery

If a JavaScript library such as jQuery is being used, look out for sinks that can alter DOM elements on the page. For instance, jQuery’s attr() function can change the attributes of DOM elements. If data is read from a user-controlled source like the URL, then passed to the attr() function, then it may be possible to manipulate the value sent to cause XSS. For example, here we have some JavaScript that changes an anchor element’s href attribute using data from the URL:

$(function() { $('#backLink').attr("href",(new URLSearchParams(window.location.search)).get('returnUrl')); });

You can exploit this by modifying the URL so that the location.search source contains a malicious JavaScript URL. After the page’s JavaScript applies this malicious URL to the back link’s href, clicking on the back link will execute it:

?returnUrl=javascript:alert(document.domain)

Lab

This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery library’s $ selector function to find an anchor element, and changes its href attribute using data from location.search.

To solve this lab, make the “back” link alert document.cookie.

Write-up

Check directly the unusual Submit feedback feature and access it. Notice how the source code uses the following script leveraging jQuery too :

<script src="/resources/js/jquery_1-8-2.js"></script>
<div class="is-linkback">
	<a id="backLink">Back</a>
</div>
<script>
$(function() {
		$('#backLink').attr("href", (new URLSearchParams(window.location.search)).get('returnPath'));
});
</script>

This is directly tied to the learning content, trying to setup the URL payload mentioned solves the lab.

GET /feedback?returnPath=javascript:alert(document.domain)

Note that this XSS requires a user interaction since you need to be clicking on the < Back button to trigger it.

Backlinks

Recent Notes