hello. While searching for a vulnerability on a website, I saw the code below.
i think there is a dom xss here but i can’t get the xss warning. The payload I tried is as follows.
https://example.com/cars#’);alert(1)//
this payload does not work. please can you help with this. where am i doing wrong
The payload you mentioned was is just to alert if there is a message contains Windows.location.hash where the payload has be contained with javacript alerts which enumerate the vulnerability to active so the payload has to be somewhat like this “(< /script>alert (window.location.hash)< / script>)”. so if it helps
Thank you
Thank you… but it is not worked 
Most modern browsers have many security measures to prevent DOM based XSS. Perhaps you can try the payload in an older browser like IE11.
its just a example of the payload, you have to figure it with multiple types of payloads, use headings, block heading type of scripts,. if there is a vulnerability there it should work just fine. to be frank i’m just a newbie. I assume the error is within the window.location.hash since its a loop
Unless there’s a bug somewhere in jQuery, there is no possibility for an XSS here. The code you highlighted simply calls the jQuery() function with a string argument. No matter what you put in msg, it will be passed as a proper string to jQuery(); there is no possibility to “escape” the string and the parenthesis to execute your own code.
There is not a vulnerability in that code. However, for future findings, what you can do is try to do the same in the console of the browser. For instance: open the console and enter those two highlighted lines of code and see what happens.