DOM XSS
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
DOM vulnerabilities occur when data from attacker-controlled sources (like location.search
, document.referrer
, or document.cookie
) is unsafely transferred to sinks. Sinks are functions or objects (e.g., eval()
, document.body.innerHTML
) that can execute or render harmful content if given malicious data.
Sources are inputs that can be manipulated by attackers, including URLs, cookies, and web messages.
Sinks are potentially dangerous endpoints where malicious data can lead to adverse effects, such as script execution.
The risk arises when data flows from a source to a sink without proper validation or sanitation, enabling attacks like XSS.
You can find a more updated list of sources and sinks in https://github.com/wisec/domxsswiki/wiki
Common sources:
Common Sinks:
location
eval()
scriptElement.src
add()
location.host
Function() constructor
scriptElement.text
after()
location.hostname
setTimeout()
scriptElement.textContent
append()
location.href
setInterval()
scriptElement.innerText
animate()
location.pathname
setImmediate()
someDOMElement.setAttribute()
insertAfter()
location.search
execCommand()
someDOMElement.search
insertBefore()
location.protocol
execScript()
someDOMElement.text
before()
location.assign()
msSetImmediate()
someDOMElement.textContent
html()
location.replace()
range.createContextualFragment()
someDOMElement.innerText
prepend()
open()
crypto.generateCRMFRequest()
someDOMElement.outerText
replaceAll()
XMLHttpRequest.open()
FileReader.readAsArrayBuffer()
someDOMElement.name
wrap()
XMLHttpRequest.send()
FileReader.readAsBinaryString()
someDOMElement.target
wrapInner()
jQuery.ajax()
FileReader.readAsDataURL()
someDOMElement.method
wrapAll()
$.ajax()
FileReader.readAsText()
someDOMElement.type
has()
XMLHttpRequest.setRequestHeader()
FileReader.root.getFile()
someDOMElement.cssText
init()
XMLHttpRequest.open()
FileReader.root.getFile()
someDOMElement.codebase
index()
jQuery.globalEval()
someDOMElement.href
someDOMElement.outerHTML
$.parseHTML()
localStorage.setItem()
document.evaluate()
document.writeln()
$.parseJSON()
**[**`Denial of Service`**](dom-xss.md#denial-of-service)**
someDOMElement.evaluate()
document.title
requestFileSystem()
document.implementation.createHTMLDocument()
document.cookie
executeSql()
postMessage()
``
``
The innerHTML
sink doesn't accept script
elements on any modern browser, nor will svg onload
events fire. This means you will need to use alternative elements like img
or iframe
.
This kind of XSS is probably the hardest to find, as you need to look inside the JS code, see if it's using any object whose value you control, and in that case, see if there is any way to abuse it to execute arbitrary JS.
Browser extension to check every data taht reaches a potential sink: https://github.com/kevin-mizu/domloggerpp
From: https://portswigger.net/web-security/dom-based/open-redirection
Open redirect vulnerabilities in the DOM occur when a script writes data, which an attacker can control, into a sink capable of initiating navigation across domains.
It's crucial to understand that executing arbitrary code, such as javascript:alert(1)
, is possible if you have control over the start of the URL where the redirection occurs.
Sinks:
From: https://portswigger.net/web-security/dom-based/cookie-manipulation
DOM-based cookie-manipulation vulnerabilities occur when a script incorporates data, which can be controlled by an attacker, into the value of a cookie. This vulnerability can lead to unexpected behavior of the webpage if the cookie is utilized within the site. Additionally, it can be exploited to carry out a session fixation attack if the cookie is involved in tracking user sessions. The primary sink associated with this vulnerability is:
Sinks:
From: https://portswigger.net/web-security/dom-based/javascript-injection
DOM-based JavaScript injection vulnerabilities are created when a script runs data, which can be controlled by an attacker, as JavaScript code.
Sinks:
From: https://portswigger.net/web-security/dom-based/document-domain-manipulation
Document-domain manipulation vulnerabilities occur when a script sets the document.domain
property using data that an attacker can control.
The document.domain
property plays a key role in the enforcement of the same-origin policy by browsers. When two pages from different origins set their document.domain
to the same value, they can interact without restrictions. Although browsers impose certain limits on the values assignable to document.domain
, preventing the assignment of completely unrelated values to the actual page origin, exceptions exist. Typically, browsers permit the use of child or parent domains.
Sinks:
From: https://portswigger.net/web-security/dom-based/websocket-url-poisoning
WebSocket-URL poisoning occurs when a script utilizes controllable data as the target URL for a WebSocket connection.
Sinks:
The WebSocket
constructor can lead to WebSocket-URL poisoning vulnerabilities.
From: https://portswigger.net/web-security/dom-based/link-manipulation
DOM-based link-manipulation vulnerabilities arise when a script writes attacker-controllable data to a navigation target within the current page, such as a clickable link or the submission URL of a form.
Sinks:
From: https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation
Ajax request manipulation vulnerabilities arise when a script writes attacker-controllable data into an Ajax request that is issued using an XmlHttpRequest
object.
Sinks:
From: https://portswigger.net/web-security/dom-based/local-file-path-manipulation
Local file-path manipulation vulnerabilities arise when a script passes attacker-controllable data to a file-handling API as the filename
parameter. This vulnerability can be exploited by an attacker to construct a URL that, if visited by another user, could lead to the user's browser opening or writing an arbitrary local file.
Sinks:
From: https://portswigger.net/web-security/dom-based/client-side-sql-injection
Client-side SQL-injection vulnerabilities occur when a script incorporates attacker-controllable data into a client-side SQL query in an unsafe way.
Sinks:
From: https://portswigger.net/web-security/dom-based/html5-storage-manipulation
HTML5-storage manipulation vulnerabilities arise when a script stores attacker-controllable data in the web browser's HTML5 storage (localStorage
or sessionStorage
). While this action is not inherently a security vulnerability, it becomes problematic if the application subsequently reads the stored data and processes it unsafely. This could allow an attacker to leverage the storage mechanism to conduct other DOM-based attacks, such as cross-site scripting and JavaScript injection.
Sinks:
From: https://portswigger.net/web-security/dom-based/client-side-xpath-injection
DOM-based XPath-injection vulnerabilities occur when a script incorporates attacker-controllable data into an XPath query.
Sinks:
From: https://portswigger.net/web-security/dom-based/client-side-json-injection
DOM-based JSON-injection vulnerabilities occur when a script incorporates attacker-controllable data into a string that is parsed as a JSON data structure and then processed by the application.
Sinks:
From: https://portswigger.net/web-security/dom-based/web-message-manipulation
Web-message vulnerabilities arise when a script sends attacker-controllable data as a web message to another document within the browser. An example of vulnerable Web-message manipulation can be found at PortSwigger's Web Security Academy.
Sinks:
The postMessage()
method for sending web messages can lead to vulnerabilities if the event listener for receiving messages handles the incoming data in an unsafe way.
From: https://portswigger.net/web-security/dom-based/dom-data-manipulation
DOM-data manipulation vulnerabilities arise when a script writes attacker-controllable data to a field within the DOM that is utilized within the visible UI or client-side logic. This vulnerability can be exploited by an attacker to construct a URL that, if visited by another user, can alter the appearance or behaviour of the client-side UI.
Sinks:
From: https://portswigger.net/web-security/dom-based/denial-of-service
DOM-based denial-of-service vulnerabilities occur when a script passes attacker-controllable data unsafely to a problematic platform API. This includes APIs that, when invoked, can lead the user's computer to consume excessive amounts of CPU or disk space. Such vulnerabilities can have significant side effects, such as the browser restricting the website's functionality by rejecting attempts to store data in localStorage
or terminating busy scripts.
Sinks:
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)