5.3.4 DOM-Based XSS

DOM-Based XSS

What is Document Object Model (DOM)?

Document Object Model (DOM) is a programming interface for web documents. It represents the structure of HTML and XML documents as a tree-like model where each node represents a part of the document, such as elements, attributes, and text.

In simpler terms, it's a way for programs and scripts to interact with the content of web pages. Web browsers use the DOM to render web pages, and developers can use JavaScript to manipulate the DOM dynamically, changing the structure, content, and style of web pages in response to user actions or other events.

https://www.w3schools.com/js/js_htmldom.asp

What is DOM-based XSS (cross-site scripting)? Tutorial & Examples | Web Security AcademyWebSecAcademy

https://www.researchgate.net/figure/DOM-based-XSS-Attack-Model_fig7_348065719

DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.

To deliver a DOM-based XSS attack, you need to place data into a source so that it is propagated to a sink and causes execution of arbitrary JavaScript.

The most common source for DOM XSS is the URL, which is typically accessed with the window.location object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL. In certain circumstances, such as when targeting a 404 page or a website running PHP, the payload can also be placed in the path.

Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). See Never use direct eval()!, below.

eval() - JavaScript | MDN

Lab

Pentester Academy Lab

This piece of code is vulnerable, because there's not input sanitisation

Starting of this URL: https://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement= we can add code that will be executed using eval JS function with the document.getElementByID that will change the DOM HTML attribute value

JavaScript DOM HTML

DOM XSSHackTricks