I came accross a case that I can change attribute of a HTML tag in response. Lets say I have added beforeunload=alert(1) to the tag. And final response is like this:
_HTTP/1.1 302 Object Moved_ _Location: https://example.com/foo/"beforeunload=alert(1)/_ _Content-Type: text/html_ _Cache-Control: private_ _Connection: close_
_<head><body> This object may be found <a HREF="https://example.com/foo/"beforeunload=alert(1)/">here</a> </body>_
because it is a 302 response, browser directly goes to the page and doesn’t execute the JS code. You may think that beforeunload is not suitable payload. I tried with but this doesn’t change the situation.
I wonder if you have a solution to provide a XSS POC on 3xx pages?
thanks in advance