Firing Range - URL-based DOM XSS vulnerabilities

This page contains a set of DOM XSSes where the vulnerability is caused by a user-controllable URL. While most of the sinks support URIs with the JavaScript scheme (e.g. javascript:alert(document.domain)), some sinks use the user provided URL to fetch and execute external resources.

In the examples presented below, the value inside location.hash is assigned to various URL-based JavaScript sinks.

JSONP endpoint is provided here.
Redirection service is provided here.

Sinks supporting JavaScript URI

Assignment of location.hash to various URL-based JavaScript sinks.

location.hash - a.href - The location.hash value is assigned to the href of the anchor element.
location.hash - document.location - The location.hash value is assigned to the document.location attribute.
location.hash - form.action - The location.hash value is assigned to the form.action attribute.
location.hash - iframe.src - The location.hash value is assigned to the source of the iframe element.
location.hash - input.formaction - The location.hash value is used as the formaction of the input element.
location.hash - window.open - The location.hash value is used in the window.open function.

Assignment of location.search to various URL-based JavaScript sinks.

location.search - area.href - The location.search value is assigned to the href of the area element.
location.search - a.xlink-href - The location.search value is assigned to the xlink:href attribute of the anchor element of a svg object.
location.search - button.formaction - The location.search value is used as the formaction of the button element.
location.search - document.location.assign - The location.search value is used in the document.location.assign function.
location.search - frame.src - The location.search value is assigned to the source of the frame element.

Sinks supporting resource URIs

Assignment of location.hash to various sinks that supports resource URIs

location.hash - base.href - The location.hash value is assigned to the href attribute of the base element.
location.hash - embed.src - The location.hash value is assigned to the src attribute of the embed element.
location.hash - fetch resource - The fetch API fetches the value in location.hash as an external resource.
location.hash - link.href - The location.hash value is assigned to the href attribute of the link element.
location.hash - object.data - The location.hash value is assigned to the data attribute of the object element.
location.hash - param[code].value - The location.search value is assigned to the value attribute of a param element with type code.
location.hash - param[movie].value - The location.hash value is assigned to the value attribute of a param element with type movie.
location.hash - param[src].value - The location.search value is assigned to the value attribute of a param element with type src.
location.hash - param[url].value - The location.hash value is assigned to the value attribute of a param element with type url.
location.hash - script.href (xlink:href) - The location.hash value is assigned to the xlink:href attribute of the script element.
location.hash - script.src - The location.hash value is assigned to the src attribute of the script element.
location.hash - xhr.open - The location.hash value is used as an argument to the xhr.open function in order to fetch external resources.

Assignment of location.hash concatenated with various hard-coded values to the src attribute of a script element.

location.hash - partial domain of URI to script.src - The location.hash value is appended to "http://example.com" before being assigned to the src attribute of the script element.
location.hash - partial path of URI to script.src - The location.hash value is appended to "/" before being assigned to the src attribute of the script element.
location.hash - partial query string of URI to script.src - The location.hash value is inserted as a query parameter value into a URI string before being assigned to the src attribute of the script element.