Burp Suite User Forum

Login to post

Cross-site scripting (DOM-based)

Adrián | Last updated: Dec 22, 2019 11:04PM UTC

Hi team, I got he following issue on my app: "The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.hash and passed to $()." "Data is read from window.location.hash and passed to $() via the following statement: $('a[href="' + window.location.hash + '"]').click();" I tried to exploit it using https://URL#javascript:alert(document.domain); but it was not successful. Could you please tell me how that issue can be exploited? Or it's a false positive. Thanks in advance

Hannah, PortSwigger Agent | Last updated: Dec 31, 2019 01:43PM UTC

Please find the methodology for testing DOM-based XSS here: https://support.portswigger.net/customer/portal/articles/2325926-Methodology_Attacking%20Users_XSS_Using%20Burp%20Scanner%20To%20Find%20DOM%20XSS.html

You need to Log in to post a reply. Or register here, for free.