XSS on httpstatus.io

Learn System Security - XSS on httpstatus.io ~

httpstatus.io is an HTTP Status Code, Header & Redirect Checker.

For example, if we submit a URL/Domain, httpstatus.io will check the HTTP Status Code, where the domain will be redirected if the HTTP Status Code is 301/302/etc.

I try with:
  • https://google.com
The response is normal. Now I try to submit a domain without a protocol
  • google.com
The server automatically added the protocol on the domain
  • protocol://domain
Yeah! the server read my payloads as a normal URL and not automatically added an HTTP/HTTPS protocol.
In this case, we can make XSS with javascript as protocol and XSS Payloads as a domain.
  • javascript://%0aalert(document.domain);//

And when we click the URL.