June 22, 2026
PortSwigger : DOM XSS in jQuery Anchor href Attribute Sink Using location.search Source
In this lab, the website has a DOM-based XSS vulnerability in the submit feedback page.
danar
2 min read
Lab: DOM XSS in jQuery anchor href attribute sink using location.search source This lab contains a DOM-based cross-site scripting vulnerability in the submit feedback page. It uses the jQuery…
The page uses jQuery to find the Back link and changes its href attribute using data from location.search.
The goal is to make the Back link run JavaScript that shows document.cookie.
SOLUTION
First, I clicked Access the Lab. After the lab opened, I clicked Submit feedback.
After that, I was redirected to the feedback page.
In the URL, there is a parameter called returnPath.
I changed the value after returnPath=/ into a random word.
Example: returnPath=/sjdhfva
Then I opened Developer Tools and inspected the Back link.
The random word appeared inside the href attribute like this:
<a id="backLink" href="/sjdhfva">Back</a><a id="backLink" href="/sjdhfva">Back</a>
I checked the
hrefattribute to know where the value fromreturnPathwas placed.
This is important because the lab uses the value from the URL and puts it into the Back link. If the value is placed inside
href, it means I can control where the Back link goes.
So, instead of making the Back link go to a normal page, I can change it to run JavaScript.
After confirming that returnPath controls the href value, I changed the parameter into this payload:
javascript:alert(document.cookie)javascript:alert(document.cookie)So the URL became:
/feedback?returnPath=javascript:alert(document.cookie)/feedback?returnPath=javascript:alert(document.cookie)Then I pressed Enter to reload the page with the new value.
Why This Payload Works
The payload used is:
javascript:alert(document.cookie)javascript:alert(document.cookie)The javascript: part is used inside an href attribute to run JavaScript when the link is clicked.
The function:
alert(document.cookie)alert(document.cookie)shows the current page cookie in an alert pop-up.
This works because the website takes the returnPath value from the URL and puts it directly into the href attribute of the Back link.
So, the Back link becomes similar to this:
<a id="backLink" href="javascript:alert(document.cookie)">Back</a><a id="backLink" href="javascript:alert(document.cookie)">Back</a>Because of that, when I clicked Back, the browser did not move to another page. Instead, it executed the JavaScript code and showed the alert pop-up.
After the payload was added to the URL, I clicked the Back link on the feedback page.
Then, an alert pop-up appeared and showed the cookie value.
After the alert appeared, the lab status changed to Solved.
This lab shows how DOM XSS can happen when a website uses user-controlled data from location.search and places it into an anchor href attribute.
By changing the returnPath parameter into:
javascript:alert(document.cookie)javascript:alert(document.cookie)the Back link was changed into a JavaScript link. When the Back link was clicked, the browser executed the payload and showed the alert pop-up.
From this lab, I learned that user input should not be directly placed into an href attribute without validation. The website should only allow safe URLs and block dangerous schemes like javascript:.
Thanks for your attention.