0

I stumbled upon Google's firing range for DOM XSS testing, and this case caught my eye:

<script>
  var payload = window.location.hash.substr(1);document.write(payload);
</script>

As far as I know, Chrome, Firefox ans Safari now URL-encode location.hash and location.search, making the exploit fail:

malicious link:

https://public-firing-range.appspot.com/address/location.hash/documentwrite#<script>alert(1)</script>

result on page:

%3Cscript%3Ealert(1)%3C/script%3E

Given that the above-mentioned browsers take up most of the market share, is this vulnerability effectively not exploitable anymore? Or is there a way to exploit it despite the URL-encoding?

Thanks in advance.

borizzzzz
  • 203
  • 1
  • 8
  • If they are just _most_ of the market share, doesn't that mean there are still browsers out there that are still vulnerable? – Fire Quacker Apr 24 '20 at 17:22
  • @dandavis, the script snippet is not under the attacker's control, only the URL. I agree that naming the variable as 'payload' is a bit confusing. – borizzzzz Apr 24 '20 at 19:33
  • @FireQuacker fair enough. I think IE browsers and Microsoft Edge don't URL-encode `location.hash` so they are definitely still vulnerable. – borizzzzz Apr 24 '20 at 19:38

0 Answers0