Dom XSS (Dom-based Cross-Site Scripting)

DOM XSS (DOM-based Cross-Site Scripting)

By Rohit Gautam
DOM XSS (DOM-based Cross-Site Scripting)
Summary: DOM XSS (DOM-based Cross-Site Scripting) is a web security vulnerability that occurs when client-side JavaScript code dynamically manipulates the Document Object Model (DOM) based on untrusted data without proper validation or sanitization. By exploiting this vulnerability, attackers can inject and execute malicious scripts in the victim's browser, leading to the theft of sensitive information, session hijacking, or unauthorized actions.

Severity: High

Attack Vector: Remote

Complexity: Medium

Impact: By successfully exploiting DOM XSS, attackers can manipulate the behavior and content of web pages viewed by users, steal user credentials, perform actions on behalf of the user, distribute malware, or deface the website.

Affected IP Address:

Port: 443

Steps to Reproduce:

1. Identify the target web application vulnerable to DOM XSS.
2. Analyze client-side JavaScript code and its interaction with the DOM.
3. Look for areas where untrusted data is directly used in manipulating the DOM or executing JavaScript code.
4. Craft a malicious payload, including JavaScript or other scripting code, that can be injected into the vulnerable DOM manipulation point.
5. Inject the crafted payload into the vulnerable DOM manipulation point and observe if the injected script is executed in the victim's browser.


To mitigate DOM XSS vulnerabilities, consider the following recommendations:
1. Implement proper input validation and sanitization on all user-supplied data used in DOM manipulation.
2. Use context-aware output encoding or escaping when dynamically modifying the DOM with untrusted data.
3. Implement strong Content Security Policy (CSP) to restrict the execution of untrusted scripts and enforce strict source whitelisting.
4. Regularly update and patch web application frameworks, libraries, and dependencies to address any known DOM XSS vulnerabilities.
5. Educate developers about secure coding practices, the risks associated with DOM XSS attacks, and the importance of input validation, output encoding, and context-awareness.


1. OWASP - DOM-based Cross-Site Scripting (DOM XSS):
2. PortSwigger - DOM-based Cross-Site Scripting (DOM XSS):

Proof of Concept:

Please refer to the attached screenshot or video for a visual demonstration of a DOM XSS vulnerability.