DOM XSS
DOM XSS
Category: Injection
Severity: Medium
Description
DOM Based XSS (or as it is called in some texts, โtype-0 XSSโ) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM โenvironmentโ in the victimโs browser used by the original client side script, so that the client side code runs in an โunexpectedโ manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:
Perform any action within the application that the user can perform.
View any information that the user is able to view.
Modify any information that the user is able to modify.
Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
Remediation
The most effective way to avoid DOM-based vulnerabilities is to avoid allowing data from any untrusted source to dynamically alter the value that is transmitted to any sink.
[https://owasp.org/www-community/attacks/DOM_Based_XSS#::text=DOM%20Based%20XSS%20(or%20as,in%20an%20%E2%80%9Cunexpected%E2%80%9D%20manner](https://owasp.org/www-community/attacks/DOM_Based_XSS#::text=DOM%20Based%20XSS%20(or%20as,in%20an%20%E2%80%9Cunexpected%E2%80%9D%20manner)
https://portswigger.net/web-security/dom-based
https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
Last updated