DOMXSS - how to exploit this lab?

waike · June 28, 2020, 10:59am

I’ve been using the Google Firing Range site to learn about DOMXSS vulnerabilities. However, I’ve come across one that I can’t seem to solve:

https://public-firing-range.appspot.com/address/locationhref/documentwrite

<script>
  var payload = window.location.href;
  document.write(payload);
</script>

The source is location.href and the sink is document.write. How can an attacker control location.href? If anyone could help me solve/understand this, I would really appreciate it.

numaN · June 28, 2020, 12:05pm

You can play with URL without leave the current page.

For example,

example.com/page
example.com/page?payload
example.com/page?foo&payload
example.com/page#payload

-> all of them is same page and location.href will see ‘payload’ .

waike · June 28, 2020, 12:56pm

But how can I get alert(1)?

Topic		Replies	Views
Google firing range vs portswigger labs Starter Zone	1	1557	April 11, 2021
Help for dom xss Web Hacking	6	10760	July 13, 2020
Hash sign wrecking my XSS payload. How to exploit? Starter Zone	1	4468	July 31, 2017
Dom based XSS question Starter Zone	6	5322	August 5, 2017
Am I on the verge of my first bug found? Starter Zone	5	2167	May 16, 2018

DOMXSS - how to exploit this lab?

Related topics