# DOM-XSS

## DOM-Based Cross-Site Scripting <a href="#dom-based-cross-site-scipting" id="dom-based-cross-site-scipting"></a>

### 📚 What Is DOM XSS? <a href="#what-is-dom-xss" id="what-is-dom-xss"></a>

**(DOM)** is a web browser’s hierarchical representation of the elements on the page.

Websites can use **JavaScript** to **manipulate** the nodes and **objects** of the **DOM**.

You Can Know More About **DOM** from [**Here**](https://www.w3schools.com/js/js_htmldom.asp) or [**Here**](https://www.youtube.com/watch?v=LlQC9sU0coM\&list=PLDoPjvoNmBAxx97QDMOCpzxbu1ZHJ4i7i)

As well as their properties. **DOM** manipulation in itself is not a problem. In fact, it is an integral part of how modern websites work.

**DOM-based vulnerabilities** arise when a website contains **JavaScript that takes an attacker-controllable value**, known as a **source** and passes it into a **dangerous function**, known as a **sink**.

## **What is taint flow?** <a href="#what-is-taint-flow" id="what-is-taint-flow"></a>

it is important to first familiarize yourself with the basics of **taint flow** between **sources** and **sinks**.

### **1. Sources** <a href="#id-1-sources" id="id-1-sources"></a>

A **source** is a **JavaScript property** that **accepts data that is potentially attacker-controlled**.

**Common Sources**

```Ruby
document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database
```

### **2. Sinks** <a href="#id-2-sinks" id="id-2-sinks"></a>

A **sink** is a potentially **dangerous JavaScript function** or **DOM object** that can cause undesirable effects if attacker-controlled data is passed to it. For example, the **eval()** function is a **sink** because it processes the argument that is passed to it as JavaScript. An example of an HTML sink is **document.body.innerHTML** because it potentially allows an attacker to inject **malicious HTML** and **execute arbitrary JavaScript**.

**Common Sinks**

```Ruby
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()
```

***

## 🤔 Why DOM XSS Happen? <a href="#why-dom-xss-happen" id="why-dom-xss-happen"></a>

**DOM-based vulnerabilities** arise when a website passes data from a **source** to a **sink**, which then handles the data in an **unsafe way** in the context of the client’s session.

The most common source is the URL, which is typically accessed with the `location` object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL.

***

### ✅ Examples <a href="#examples" id="examples"></a>

You can read my portswigger DOM labs Solutions from my Notes in this [Port-Swigger Labs](https://0xkourama.gitbook.io/blog/port-swigger-labs/dom-xss)

***

### ⚔ Impact <a href="#impact" id="impact"></a>

There is a reason why it has been in **OWASP for 2013** and **2017**. XSS can have huge implications for a web application and its users. **User accounts can be hijacked**, **credentials** could be **stolen**, **sensitive data** could be **exfiltrated**, and lastly, access to your client computers can be obtained.

***

### 🔎 How To Find <a href="#how-to-find" id="how-to-find"></a>

The majority of DOM XSS vulnerabilities can be found quickly and reliably using **Burp Suite’s web vulnerability scanner**. To test for DOM-based cross-site scripting manually, you generally need to use a browser with developer tools, such as Chrome. You need to work through each available source in turn and test each one individually.

***

### 📕 Referance <a href="#referance" id="referance"></a>

[**DomGoat - DOM Security Learning Platform**](https://domgo.at/cxss/intro)

[**portswigger**](https://portswigger.net/web-security/dom-based)

[**OWASP**](https://owasp.org/www-community/attacks/xss/)

[**PayloadsAllTheThings**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection)

[**hacktricks**](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting)

[**hackingarticles**](https://www.hackingarticles.in/comprehensive-guide-on-cross-site-scripting-xss/)

[**Ebrahem Hegazy**](https://www.youtube.com/watch?v=xiw_O5shcK4\&list=PLv7cogHXoVhXvHPzIl1dWtBiYUAL8baHj\&index=29) From **29Ep** : **35Ep**

***

### 🔬 Labs <a href="#labs" id="labs"></a>

[**portswigger**](https://portswigger.net/web-security/dom-based)

[**OWASP Broken Web Applications Project**](https://sourceforge.net/projects/owaspbwa/)**:** \
Install this Machine and will have a lot of Labs like **DVWA**, **BWAPP,** **Webgoat,** etc


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xkourama.gitbook.io/blog/vulnerabilities-and-techniques/web-vulnerabilities/dom-xss.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.