Good day!
I study types of xss.Now I’ve stopped at XSS DOM.
I'm testing everything on the updated dvwa(Damn Vulnerable Web Application).

Most browsers encode the url string and I cannot write javascript to url-e as I did before.My request is converted to:
www.xss/com/default=123% 253Cscript% 253Ealert('XSS')% 253C% 252Fscript% 253E


Hint:
There is no need to do anything on the server side because the protection mechanism is on the client side.

Advise the methods of operation or in what direction to move?

2 Answers 2

Try using a mixed obfuscated xss-payload.
  • does not work – Glorious90 Mar 27 '18 at 18:38
Hi.If you use Chrome, it’s a XSS auditor.
I recommend reading the Brute block on this topic: https://brutelogic.com.br/blog/chrome-xss-bypass/

Also, check it out https://metascan.ru to automatically search for XSS in the project.