DOM Based XSS attack example no longer viable due to Browser encoding

Question

DOM Based XSS attack example no longer viable due to Browser encoding

EnFinlay opened this issue 3 years ago · comments

The example code


Select your language:

<select><script>

document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");

document.write("<OPTION value=2>English</OPTION>");

</script></select>

Is no longer vulnerable on most modern browsers since document.location.href is URL encoded by default. The example should be updated to reflect that decoding is required for the attack to work as described.

Rick M · Answer 1 · Thu Feb 11 2021 10:12:41 GMT+0800 (China Standard Time)

Where are you seeing this example?

Rick M · Answer 2 · Thu Feb 11 2021 10:15:23 GMT+0800 (China Standard Time)

Disregard, I found it: https://github.com/OWASP/www-community/blob/master/pages/attacks/DOM_Based_XSS.md

You can click "Edit on GitHub" at the bottom of the live page and submit a PR 😀 (Don't forget to add yourself to the "contributors" front matter)