Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Cross-site scripting (DOM-based)

fox Dec 22, 2019 11:04PM UTC

Hi team,
I got he following issue on my app:

"The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.hash and passed to $()."

"Data is read from window.location.hash and passed to $() via the following statement:
$('a[href="' + window.location.hash + '"]').click();"

I tried to exploit it using https://URL#javascript:alert(document.domain); but it was not successful. Could you please tell me how that issue can be exploited? Or it's a false positive.

Thanks in advance


Hannah Law Dec 31, 2019 01:52PM UTC Support Center agent

Please find the methodology for testing DOM-based XSS here: https://support.portswigger.net/customer/portal/articles/2325926-Methodology_Attacking%20Users_XSS_Using%20Burp%20Scanner%20To%20Find%20DOM%20XSS.html


Post Your public answer

Your name
Your email address
Answer