Name DOM-Based XSS
Summary This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.
Prerequisites An application that leverages a client-side web browser with scripting enabled. An application that manipulates the DOM via client-side scripting. An application that failS to adequately sanitize or encode untrusted input.
Solutions Use browser technologies that do not allow client-side scripting. Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM. Ensure that all user-supplied input is validated before use.
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-83 Improper Neutralization of Script in Attributes in a Web Page
Back to Top