Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Cross-site scripting (DOM-based)

fox Dec 22, 2019 11:04PM UTC

Hi team,
I got he following issue on my app:

"The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.hash and passed to $()."

"Data is read from window.location.hash and passed to $() via the following statement:
$('a[href="' + window.location.hash + '"]').click();"

I tried to exploit it using https://URL#javascript:alert(document.domain); but it was not successful. Could you please tell me how that issue can be exploited? Or it's a false positive.

Thanks in advance

Hannah Law Dec 31, 2019 01:52PM UTC Support Center agent

Please find the methodology for testing DOM-based XSS here:

Post Your public answer

Your name
Your email address