Location based XSS attacks

The basic attack

Using the hash portion of the location is a good way to beat filters, anything sent via the hash is not sent to the server in question. We can use a large amount of data which is hidden from the server side filters and combine it with data sent on the server. For example we can send:-

http://someserver.com/somepage.php?
param=",eval(location.hash.slice(1))//#alert(1)

Data sent to the server : ``` ",eval(location.hash.slice(1))//

Data only sent through the client : ```
#alert(1)

"slice" simply selects the location.hash from the second character because the # is included and would raise a syntax error.

More advanced variation

There are times when server side filters will remove all instances of "(" or ")" or maybe a WAF will disallow such requests. That alone will not save you from these sort of attacks because there's a trick you can use to defeat those filters.

Remember the server can only see the server side potion of the attack, we can combine both strings to produce our attack without "(" or ")". For example:-

http://someserver.com/somepage.php?
param=",location='javascript:/*'+location.hash//#*/alert(1)

Data sent to the server : ``` ",location='javascript:/*'+location.hash//

Data sent to the client : ```
#*/alert(1)

We start the comment in the server side request and complete it in the client side location.hash request. Location is assigned javascript:/*#*/alert(1) removing the need for the slice(1) as shown previously.

The attacks mentioned are DOM based XSS attacks and are actually more common than you think, they are just more difficult to find than regular XSS.