πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

DOM Based Cross Site Scripting

DOM XSS occurs when untrusted input is read from a client-side source (e.g., document.location, document.referrer, window.name, or query parameters) and is directly written into a dangerous sink in the DOM without proper sanitisation or encoding. Unlike reflected or stored XSS, DOM XSS vulnerabilities are triggered entirely in the browser by client-side JavaScript logic. An adversary can craft malicious URLs or payloads that, when loaded in a victim’s browser, execute arbitrary JavaScript with the privileges of the vulnerable web page.

Remediation

  • Avoid unsafe sinks such as innerHTML, outerHTML, document.write, eval, and setTimeout with untrusted input.
  • Use a well-vetted frontend framework (e.g., React, Angular, Vue) that automatically applies context-aware escaping and DOM sanitisation.
  • Apply context-aware output encoding (HTML, URL, JavaScript, CSS) before inserting untrusted values into the DOM.
  • Implement strict Content Security Policy (CSP) to limit the impact of injected scripts.
  • Where direct DOM manipulation is necessary, use safe alternatives like textContent or setAttribute.
  • Validate and sanitise URL parameters and other client-side data sources before processing them in the DOM.

Metadata

  • Severity: medium
  • Slug: dom-based-cross-site-scripting

CWEs

  • 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP

  • A7:2017: Cross-Site Scripting (XSS)

Available Labs

Select a language to explore available labs for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.