Payload of the Day #01-Dom XSS in jQuery Sink via location.hash

Emmanuel Agyarko AmpahEmmanuel Agyarko Ampah
1 min read

Tags: [XSS, DOM XSS, Web Security, jQuery, JavaScript]

Series: Payload of the Day

---

Context:

This payload targets a DOM-based XSS vulnerability in a site that uses jQuery’s $() selector and pulls user input directly from location.hash.

The vulnerable line looks like:

$(location.hash)

Since jQuery’s $() function treats the input as a selector or DOM content, injecting raw HTML into the hash leads to execution of JavaScript.

Payload

<iframe src=“https://target.url/#” onload=“this.src+=‘<img src=x onerror=print()>’”></iframe>

Why this works

  • The iframe loads the vulnerable site.

  • onload modifies the iframe’s src, appending a malicious location.hash.

  • The vulnerable page reads that hash and uses it inside $(...), which interprets and executes it as a DOM element.

  • The <img> tag fires onerror, and the print() function executes in the victim’s browser.

Test Details:

  • Browser: Google Chrome (as required by the lab)

  • Lab: PortSwigger Academy – “DOM XSS in jQuery selector sink using a hashchange event”

Lesson:

If user-controlled data is passed into $() without sanitization, and it’s treated as HTML or selectors, you’re looking at a high-risk DOM XSS

Follow the series for more fire drops.

Next up: Payload #02 coming soon

0
Subscribe to my newsletter

Read articles from Emmanuel Agyarko Ampah directly inside your inbox. Subscribe to the newsletter, and don't miss out.

XSS#WebAppSecurity bugbountywebsecurityethicalhacking

Written by

Emmanuel Agyarko Ampah
Emmanuel Agyarko Ampah