In this post, we’re going to be solving the lab: “DOM XSS in jQuery anchor href attribute sink using location.search source”:

DOM XSS in jQuery anchor href attribute sink lab start screen

In this case, to solve the lab we need to execute an alert that returns the cookies.

First of all, let’s access the lab:

Lab main page showing blog articles

Once we access it, we navigate to the submit feedback section, since the statement indicates that’s where the XSS is located:

Submit feedback button on the main page

Lab feedback submission form

When we access it, if we look at the URL, we can see that by default the returnPath parameter is added:

URL showing returnPath parameter in the address bar

Let’s try adding any value to the parameter:

returnPath parameter modified with test value

In principle, nothing happens, but if we hover the mouse over the Back hyperlink:

Inspection of Back hyperlink showing injected value

We can see how the value we placed in the variable is implemented in the href attribute of this element. So it’s as simple as placing a payload that executes the alert when we click the button:

  • javascript:alert(document.cookie)

JavaScript payload injected in the returnPath parameter

As we can see, we successfully solve the lab, and from the source code perspective, what we’ve achieved is the following:

HTML source code showing href attribute with JavaScript payload

Now, if we click on the Back hyperlink:

Lab solved successfully message

The JavaScript code we indicated will execute:

Alert window showing empty cookies

In this case, nothing appears because the only cookie we have has the HTTPOnly flag enabled:

Session cookie with HTTPOnly attribute in developer tools

This flag enables cookies to only be read from the HTTP protocol and not from JavaScript, it’s a defense mechanism. And with this explained, we’ve completed the lab:

Final confirmation of lab success

Share on X Share on LinkedIn Share on Telegram
Comment on Discord Visit the author page