> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/ewptv2-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-1/4.4-dom-based-xss.md).
# 4.4 DOM-Based XSS
## DOM-Based XSS
What is Document Object Model (DOM)?
Document Object Model (DOM) is a programming interface for web documents. It represents the structure of HTML and XML documents as a tree-like model where each node represents a part of the document, such as elements, attributes, and text.
In simpler terms, it's a way for programs and scripts to interact with the content of web pages. Web browsers use the DOM to render web pages, and developers can use JavaScript to manipulate the DOM dynamically, changing the structure, content, and style of web pages in response to user actions or other events.
DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as `eval()` or `innerHTML`. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.
To deliver a DOM-based XSS attack, you need to place data into a source so that it is propagated to a sink and causes execution of arbitrary JavaScript.
The most common source for DOM XSS is the URL, which is typically accessed with the `window.location` object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL. In certain circumstances, such as when targeting a 404 page or a website running PHP, the payload can also be placed in the path.
{% hint style="danger" %}
Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. See [Never use direct eval()!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_direct_eval!), below.
{% endhint %}
{% embed url="" %}
## Lab
{% embed url="" %}
This piece of code is vulnerable, because there's not input sanitisation
Starting of this URL: `https://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=` we can add code that will be executed using eval JS function with the document.getElementByID that will change the [DOM HTML attribute value](https://www.w3schools.com/js/js_htmldom_html.asp)
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://dev-angelist.gitbook.io/ewptv2-notes/readme/system-security-1/4.4-dom-based-xss.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.