Description

DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is query parameter return_url and sink is location.href.

Proof of Concept

1 Start karma server and visit the following link:

http://localhost:9876/?return_url=javascript:alert(document.domain)

Impact

The attacker can execute malicious javascript code in victim’s browser like run crypto miners, exploit 0-day remote code execution bugs in browser etc.