Running XSS in Modern Browsers in 302 Status Redirects

We identified a unique response when triggered XSS on a 302 state redirect via the GET parameter.


We have 2 experiments to see the browser response behavior.

1. javascript://evil.com%250Aalert()%3b%2f%2f

First try, we added %250A for the XSS payload. Then, we got the response shown in the screenshot below.


Our XSS payload passes. However, we get a 302 Status Redirect and a Location Header added which causes us to be unable to get to that page to trigger the XSS.



Our first attempt was unsuccessful in triggering XSS.

2. javascript://evil.com%0A%250Aalert()%3b%2f%2f

Second try, we added %0A%250A for the XSS payload. Then, we got the response shown in the screenshot below.


Our XSS payload passes by getting a 302 Status Redirect. However, the Location Header is missing from the response. Next, we managed to get to that page despite the 302 Status Redirect and we successfully triggered XSS on that page.



Reference: