DOM-XSS

DOM-Based Cross-Site Scripting

📚 What Is DOM XSS?

(DOM) is a web browser’s hierarchical representation of the elements on the page.

Websites can use JavaScript to manipulate the nodes and objects of the DOM.

You Can Know More About DOM from Here or Here

As well as their properties. DOM manipulation in itself is not a problem. In fact, it is an integral part of how modern websites work.

DOM-based vulnerabilities arise when a website contains JavaScript that takes an attacker-controllable value, known as a source and passes it into a dangerous function, known as a sink.

What is taint flow?

it is important to first familiarize yourself with the basics of taint flow between sources and sinks.

1. Sources

A source is a JavaScript property that accepts data that is potentially attacker-controlled.

Common Sources

document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database

2. Sinks

A sink is a potentially dangerous JavaScript function or DOM object that can cause undesirable effects if attacker-controlled data is passed to it. For example, the eval() function is a sink because it processes the argument that is passed to it as JavaScript. An example of an HTML sink is document.body.innerHTML because it potentially allows an attacker to inject malicious HTML and execute arbitrary JavaScript.

Common Sinks

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()

---

🤔 Why DOM XSS Happen?

DOM-based vulnerabilities arise when a website passes data from a source to a sink, which then handles the data in an unsafe way in the context of the client’s session.

The most common source is the URL, which is typically accessed with the location object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL.

---

✅ Examples

You can read my portswigger DOM labs Solutions from my Notes in this Port-Swigger Labs

---

⚔ Impact

There is a reason why it has been in OWASP for 2013 and 2017. XSS can have huge implications for a web application and its users. User accounts can be hijacked, credentials could be stolen, sensitive data could be exfiltrated, and lastly, access to your client computers can be obtained.

---

🔎 How To Find

The majority of DOM XSS vulnerabilities can be found quickly and reliably using Burp Suite’s web vulnerability scanner. To test for DOM-based cross-site scripting manually, you generally need to use a browser with developer tools, such as Chrome. You need to work through each available source in turn and test each one individually.

---

📕 Referance

DomGoat - DOM Security Learning Platform

portswigger

OWASP

PayloadsAllTheThings

hacktricks

hackingarticles

Ebrahem Hegazy From 29Ep : 35Ep

---

🔬 Labs

portswigger

OWASP Broken Web Applications Project: Install this Machine and will have a lot of Labs like DVWA, BWAPP, Webgoat, etc