Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.

It’s Day 22 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.

Let’s Start:

Before you go for this blog, make sure to read the Previous one
https://arayofhope7.medium.com/day-5-dom-xss-in-jquery-anchor-href-attribute-sink-using-location-search-afc598397e24

Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.

LAB: This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery’s $() selector function to auto-scroll to a given post, whose title is passed via the location.hash property.

To solve the lab, deliver an exploit to the victim that calls the print() function in their browser.

This is what the lab looks like.

A hash is the part of the URL that comes after the # symbol.

This confirms that the application is vulnerable to DOM-based XSS due to the unsanitized use of window.location.hash in a hashchange event listener.

We can see that there is an exploit server available. Let’s deliver the payload through it.

In here, the iframe's src attribute points to the vulnerable page with an empty hash value. When the iframe is loaded, an XSS payload is appended to the hash, causing the hashchange event to fire.