I’ve been using the Google Firing Range site to learn about DOMXSS vulnerabilities. However, I’ve come across one that I can’t seem to solve:
<script> var payload = window.location.href; document.write(payload); </script>
The source is location.href and the sink is document.write. How can an attacker control location.href? If anyone could help me solve/understand this, I would really appreciate it.