Level 5: DOM XSS in jQuery anchor href attribute sink using location.search source

Objective

This lab contains a DOM-based cross-site scripting vulnerability in the Submit feedback page. It uses jQuery’s $ selector to find an anchor element and modifies its href attribute using the location.search value.

To solve this lab, craft a payload that changes the "Back" link's destination to execute alert(document.cookie) when clicked.

Explanation

The application dynamically sets the href value of the "Back" link using a query parameter called returnPath. This is handled through JavaScript on the client side, using jQuery to assign the value directly from location.search.

If no proper validation or sanitization is in place, an attacker can inject a javascript: URI into this href attribute. When the user clicks the modified link, the JavaScript payload is executed in the browser context, achieving a DOM-based XSS.

This type of vulnerability arises when data from the URL is trusted blindly and placed into sensitive attributes like href, src, or onclick.

Resolution

1. Navigate to the Submit feedback page.

2. Modify the URL to:

?returnPath=javascript:alert(document.cookie)

1. Press Enter to reload the page with the malicious returnPath.

2. Click the < Back link.

3. The alert(document.cookie) will execute, and the lab will be marked as solved.

Mitigation

• Never assign user input to critical attributes such as href, src, or onclick without strict validation.

• Use whitelist-based validation to ensure only safe URLs or paths (e.g., /home, /posts) are allowed in navigational links.

• Sanitize attribute values by escaping characters or stripping unsafe protocols like javascript:.

• Implement a Content Security Policy (CSP) to block inline JavaScript execution and javascript: URIs.

• Prefer server-side redirection over client-side manipulation of navigation logic, where feasible.