I started to solving XSS Labs on the PortSwigger. The previous XSS labs were straightforward, but in this example, I needed one more step.
After reading the source code, I found something interesting to focus on it.
Let’s try to understand the what the source code does.$(window).on('hashchange', function(){...With this part, I listen the hashchange event. In other words, when the location hash(#) in the URL is triggered, this code will be executed.
decodeURIComponent(window.location.hash.slice(1)) When Ilook at this part, using slice(1) remove the # symbol from the string. Additionally, decodeURIComponent is used to decode the URL encoded characters. As it is seen in the image below, the # symbol has been removed by using slice(1).
The URL is:
http://example.xom/#test1 — → slice(0) — ->#test1
http://example.xom/#test1 — → slice(1) — ->test1
http://example.xom/#test1 — → slice(2) — ->est1
var post = $('section.blog-list h2:contains(...)') In this part, a search is performed in the HTML page. Parts with h2 tags under the class “section.blog-list” are identified and assigned the “post” variable. The # symbol has already been removed, and URL encoded content has already been decoded. The searched content is found and assigned to the post variable.x
With the if (post) post.get(0).scrollIntoView()
part, if the post variable is not empty, meaning the searched word is found, the scrollIntoView function is used to bring the page to the location where the word is found. However if you
I was able to trigger XSS with https://lab-id.web-security-academy.net#<img src=x onerror=alert(1)> Now, let’s load the same page inside an iframe and deliver it to the victim to trigger XSS.
The payload should trigger an alert since the jquery selector
$()will first try to select (find) the item on the page and when it fails (the string does not exist in this example), it will add the element.
<iframe src="https://lab-id.web-security-academy.net/#" onload="this.src+='<img src = x onerror=alert(1)>'"> </iframe>
This code sets a website URL to the src attribute inside an iframe tag and aims to inject a malicious image into that iframe content using the onload event.
Detailed explanation of the code.
<iframe src="https://0a4f00c0035a3e3e846b9b86001d00f8.web-security-academy.net/#">In this line, an iframe is created and the src attribute is set to URL. The URL ends with a # symbol, which directs the target website to a section under the URL.onload="this.src+='<img src=x onerror=alert(1)>'"the onload event is triggered when the iframe’s content is fully loaded. When the onload event is triggered, the this.src expression is used to modify the src attribute of the iframe. The modification aims to inject a malicious img tag into the loaded website within the iframe.
Actually, the lab has been solved succesfully. Now all I need to do is to replace alert(1) with print().
