Hello hunters,

I came across these codes and I think a XSS exploit can be squeeze out of here but I don’t understand what this code does exactly. So I couldn’t write any successful XSS payload.

var hashvalue = window.location.hash.substring(1);
var i = $("[id *= ‘" + hashvalue + "’]");

Can you explain (specifically the role of * , $ and [ ] signs) the code a bit more?
I am not that good at JS so don’t judge me too much

Thanks in advance

Hi,

var hashvalue = window.location.hash.substring(1);

extracts hash value from the URL, without actually # sign (substring() call starts from first sign, but chars in strings are indexed started from 0, so what you get is a part of url hash starting from first char after #).

So let’s say you’ve got an url:

http://server.com/somepage#test

When first line of your code runs, variable hashvalue equals ‘test’

Second line of code actually assigns to variable named i an element (I assume $ is global reference to jQuery, which is typical)

So:

var i = $("[id *= '" + hashvalue + "']");

means: "find in DOM tree an element, which id attribute equals ‘test’

So if you have DOM fragment like this:

<div id="test">Test div</div>

exactly this element becomes value of i variable.

I hope it helps you a little bit

Happy hunting!

Thanks for explanation bl4de. Still can’t find a DOM XSS payload

Yeah, this is not the code where DOM XSS exists unfortunately.
hashvalue is not evaluated anywhere, so you won’t be able to inject anything here

One of your question was the role of * in:

id *= “some values”
is equal to: id = id * "some values"

It is equal to a += b that is a = a + b and so.

I guess the $ is part of the syntax of JQuery regarding to asing values to variables.
And the brackets [ ] are part of some of the generated value. If you see they are part of concatenation.

I’m not master of JS, I just have some knowledge about programming and I don’t remember where I read about JQuery and it looks like that.

Have a good day and happy hacking!