There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href".
Considering a typical URL:
Browsers encode correctly both "path" and "query_string", but not the "fragment_id".
So if used "fragment_id" the vector is also not logged on Web Server.
Chrome Version: 10.0.648.134 (Official Build 77917) beta
This is an index.html page:
The attack vector is:
For your convenience, a minimalist PoC is located on:
- DOM Based Cross-Site Scripting or XSS of the Third Kind - http://www.webappsec.org/projects/articles/071105.shtml