Before explaining about the DOM based xss, let me explain what DOM is.
Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.
var pos=document.URL.indexOf("BTSinput=")+9; //finds the position of value
var userInput=document.URL.substring(pos,document.URL.length); //copy the value into userInput variable
document.write(unescape(userInput)); //writes content to the webpage
For example, if the url is
The webpage will display “default” as output.
Did you notice ?! The part of the webpage is not written by Server-side script. The client side script modifies the content dynamically based on the input. Everything done with the help of DOM object ‘document’.
DOM Based XSS vulnerability:
When a developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code.
In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url.
An attacker with malicious intention can inject a xss vector instead . For example:
As i said earlier, the document.write function simply writes the value of BTSinput parameter in the webpage. So it will write the ‘<script>alert(“BreakTheSec”)</script>’ in the webpage without sanitizing. This results in running the script code and displays the alert box.
Patching the DOM Based Cross Site Scripting Vulnerability
The document.write() function
The document.writeln() function
The execScript() function, which works similarly to eval()
The setInterval(), setTimeout(), and navigate() functions
The .innerHTML property of a DOM element
Certain CSS properties which allow URLs such as .style, .backgroundImage, .listStyleImage, etc.
Any data which is derived from data under the client’s control (e.g. request parameters, headers, query parameters, cookie names and values, the URL of the request itself, etc.) should be escaped before being used. Examples of user-controlled data include document.location (and most of its properties, e.g. document.location.search), document.referrer, cookie names and values, and request header names and values.