Skip to content

DOM XSS

  • Document Object Model
  • every HTML page is a document
  • this is a non-persistent type called DOM-based XSS.
  • Other 2 types send the data to the backend servers.
  • DOM XSS is completely processed on the client side through JavaScript.
  • DOM XSS occurs when JS is used to change the page source through the DOM.

Example:

  • When we send the user input in a text-input field the user input is reflected on the page.
  • In other 2 cases, there is a request being sent to the backend server when a user-input is entered.

Source & Sink

  • The Source is the JavaScript object that takes the user input, and it can be any input parameter like a URL parameter or an input field, as we saw above.
  • the Sink is the function that writes the user input to a DOM Object on the page.
    • If the Sink function does not properly sanitize the user input, it would be vulnerable to an XSS attack.
    • Common JavaScript functions to write to DOM objects are:
      • document.write()
      • DOM.innerHTML
      • DOM.outerHTML
    • some of the jQuery library functions that write to DOM objects are:
      • add()
      • after()
      • append()
  • DOM.innerHTML does not allow the <script> tag.
  • <img src="" onerror=alert(window.origin)> - use this payload
  • once executed, send the same URL to the victim.