Help for dom xss

hello. While searching for a vulnerability on a website, I saw the code below.


i think there is a dom xss here but i can’t get the xss warning. The payload I tried is as follows.’);alert(1)//

this payload does not work. please can you help with this. where am i doing wrong

The payload you mentioned was is just to alert if there is a message contains Windows.location.hash where the payload has be contained with javacript alerts which enumerate the vulnerability to active so the payload has to be somewhat like this “(< /script>alert (window.location.hash)< / script>)”. so if it helps
Thank you

1 Like

Thank you… but it is not worked :frowning:

Most modern browsers have many security measures to prevent DOM based XSS. Perhaps you can try the payload in an older browser like IE11.

its just a example of the payload, you have to figure it with multiple types of payloads, use headings, block heading type of scripts,. if there is a vulnerability there it should work just fine. to be frank i’m just a newbie. I assume the error is within the window.location.hash since its a loop

Unless there’s a bug somewhere in jQuery, there is no possibility for an XSS here. The code you highlighted simply calls the jQuery() function with a string argument. No matter what you put in msg, it will be passed as a proper string to jQuery(); there is no possibility to “escape” the string and the parenthesis to execute your own code.

There is not a vulnerability in that code. However, for future findings, what you can do is try to do the same in the console of the browser. For instance: open the console and enter those two highlighted lines of code and see what happens.