DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source
is query parameter return_url
and sink is location.href
.
1 Start karma server and visit the following link:
http://localhost:9876/?return_url=javascript:alert(document.domain)
The attacker can execute malicious javascript code in victim’s browser like run crypto miners, exploit 0-day remote code execution bugs in browser etc.