How To trigger JS execution on 302 page

Hi guys,

I came accross a case that I can change attribute of a HTML tag in response. Lets say I have added beforeunload=alert(1) to the tag. And final response is like this:

_HTTP/1.1 302 Object Moved_
_Content-Type: text/html_
_Cache-Control: private_
_Connection: close_

_<head><body> This object may be found <a HREF=""beforeunload=alert(1)/">here</a> </body>_

because it is a 302 response, browser directly goes to the page and doesn’t execute the JS code. You may think that beforeunload is not suitable payload. I tried with but this doesn’t change the situation.

I wonder if you have a solution to provide a XSS POC on 3xx pages?

thanks in advance

1 Like

These days, most browsers won’t render the content of the page and will follow the 302 redirect immediately. This wasn’t always the case. In some cases, you could trick the browser by setting Location: data:html or Location: abcd:x, and the browser would error out the redirect and display the contents of the page.

Browsers have caught on to those tricks and now they will either give an error or just not go to the page. But I haven’t tried them all so go ahead and set up an open redirect to test with and try it in all the modern browsers for yourself.

Hi @monochrome
can you provide more context? Where is the injection? What is the response you posted? Is it where the injection is or is returned when you click somewhere or something like that?

Hi @stefanofindsbugs,

I didn’t notice bugcrowd cropped(or hided) some parts of the response in original question text. I have edited the question text. I think you get the answers If you look at the question again.

BTW, The injection point is the URL but thats not much related to the topic.

Thanks @monochrome.
As @superevr said, it’s very unlikely you can make the browser execute that. However it’s important to know how you get that 302 response. Because I think it’s possible to execute XSS on Firefox if the URL in Location is in some way invalid, like http://1234:0. So, if you are getting that response from something where you can change the entire URL, or maybe you can do something like[injection], then may be possible to do something with it. If you just got that response after adding a quote in the request, don’t forget to try with the quote encoded (%22)because that’s the way modern browsers are going to send the quote in the request to the server.

Thanks guys. Those are good advices. Unfortunatelly I don’t have chance to get an invalid location in my particular case. But it is nice to be armed for the next time.

Good lucks :slight_smile: