DOM-based XSS - via URL
I have a website that I am testing but I am pretty new to all of this security stuff and would appreciate some help!.
I have a url similar to the following:
nexturlparameter determines what url should be displayed after something has happened.
I'm trying to test for XSS vulnerabilities and have disabled URL filtering in my browser. I am trying to replace the whatever with something like
and if I view the page source code I see "
Also, are you only testing for XSS, or would you also be interested in open redirect issues?
Legitimate sites that a user trusts with arbitrary redirects like that are great for phishing attacks!
Consider that I get an email with a link:
yoursite.com, I'm happy to log in and view my account! Then after interacting with it, it takes me back to the login page. Weird, I though I'd already logged in, oh well, guess I'll log in again ...