DOMXSS - how to exploit this lab?

I’ve been using the Google Firing Range site to learn about DOMXSS vulnerabilities. However, I’ve come across one that I can’t seem to solve:

https://public-firing-range.appspot.com/address/locationhref/documentwrite

<script>
  var payload = window.location.href;
  document.write(payload);
</script>

The source is location.href and the sink is document.write. How can an attacker control location.href? If anyone could help me solve/understand this, I would really appreciate it.

2 Likes

You can play with URL without leave the current page. :slight_smile:

For example,

example.com/page
example.com/page?payload
example.com/page?foo&payload
example.com/page#payload

-> all of them is same page and location.href will see ‘payload’ . :wink:

1 Like

But how can I get alert(1)?