I stumbled upon Google's firing range for DOM XSS testing, and this case caught my eye:
<script>
var payload = window.location.hash.substr(1);document.write(payload);
</script>
As far as I know, Chrome, Firefox ans Safari now URL-encode location.hash
and location.search
, making the exploit fail:
malicious link:
https://public-firing-range.appspot.com/address/location.hash/documentwrite#<script>alert(1)</script>
result on page:
%3Cscript%3Ealert(1)%3C/script%3E
Given that the above-mentioned browsers take up most of the market share, is this vulnerability effectively not exploitable anymore? Or is there a way to exploit it despite the URL-encoding?
Thanks in advance.