Close Menu
    What's Hot

    Why GRC Services Are Vital for Business Growth and Compliance in 2025

    July 1, 2025

    Ultimate Guide to Attack Surface Scanning

    April 10, 2025

    Recent Trends in Zero Trust Architecture

    March 3, 2025
    Facebook X (Twitter) Instagram LinkedIn WhatsApp
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    • Bug Bounty

      A Beginner’s guide to Active Directory Penetration Testing

      June 21, 2023

      Building an XSS Scanner with Python

      February 27, 2023

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

      January 13, 2023

      How To Find DOM-based XSS Vulnerability

      December 27, 2022
    • Pen Testing

      Privileged Escalation: How Hackers Exploit Permissions to Compromise Your Systems

      March 5, 2024

      The Ultimate Guide to Vulnerability Scanning

      December 13, 2023

      Top 10 Tools for Real World Red Teaming

      November 18, 2023

      Locking Down OAuth 2.0: Critical Steps to Protect User Accounts and Data

      November 10, 2023

      Detailed guide on Password Transmutations

      April 29, 2023
    • Cyber Security

      Why GRC Services Are Vital for Business Growth and Compliance in 2025

      July 1, 2025

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      A Comprehensive Guide on Cyber Security Services VS Cyber Security Products

      June 14, 2024
    • Services
    • Product
      • Certifications
    • More
      1. Ethical Hacking
      2. Kali Linux
      3. Write Ups
      4. CTF
      5. Blockchain
      6. Machine Learning
      7. Computer Science
      8. View All

      Journey to Website Security: Uncovering Hyperlink Injection Dangers

      February 24, 2023

      Pentest/VAPT RoE and Best Practices

      February 3, 2023

      Emoji Deploy Attack Chain

      January 24, 2023

      Introduction to Information Security

      January 11, 2023

      Cyber Security Roadmap (Part-2)

      October 25, 2022

      How to install waybacksurls in kali linux (2022)

      September 23, 2022

      How To Find Hidden Parameters

      November 12, 2022

      Top 10 Subdomain Takeover Reports

      November 6, 2022

      Pause DeSync Attack :

      November 3, 2022

      Bypassing OTP Verification Methods

      October 31, 2022

      Tryhackme Vulnversity walkthrough

      September 26, 2022

      Why GRC Services Are Vital for Business Growth and Compliance in 2025

      July 1, 2025

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024

      A Peek into Facial Recognition Technology

      August 21, 2023

      How Data Scientists and Machine Learning Engineers Differs

      November 8, 2022

      Artificial Neural Networks with ML

      November 4, 2022

      INTRODUCTION TO MACHINE LEARNING

      October 20, 2022

      Robotic Process Automation: The Key to Effortless Efficiency

      September 18, 2024

      BCI: Merging Minds With Machines

      August 18, 2023

      Is Quantum Computing the future of Computing?

      August 16, 2023

      Why GRC Services Are Vital for Business Growth and Compliance in 2025

      July 1, 2025

      Ultimate Guide to Attack Surface Scanning

      April 10, 2025

      Recent Trends in Zero Trust Architecture

      March 3, 2025

      Modern Defensive Cybersecurity Services

      December 29, 2024
    HITH Blog – HackerinthehouseHITH Blog – Hackerinthehouse
    Home»Bug Bounty»How To Find DOM-based XSS Vulnerability
    Bug Bounty

    How To Find DOM-based XSS Vulnerability

    adminBy adminDecember 27, 2022Updated:August 14, 2023No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    What is DOM XSS

    DOM-based XSS, in particular, is a type of XSS that occurs when the vulnerability is in the client-side code of the web application, rather than on the server-side. This means that the malicious code is injected into the Document Object Model (DOM) of the web page, rather than being sent to the server as part of a request.

    Finding DOM-based XSS vulnerabilities can be a bit more challenging than finding server-side XSS vulnerabilities, because the malicious code is not sent to the server and there is no server-side input validation to detect it. However, there are still some steps you can take to find DOM-based XSS vulnerabilities in a web application.

    There are several types of DOM-based XSS vulnerabilities that can occur in a web application. Some common types of DOM-based XSS include:

    1. Reflected DOM-based XSS: This type of vulnerability occurs when user input is reflected in the DOM without being properly validated or sanitized. For example, if a web application includes a search feature that displays the search query in the results page, an attacker could inject a malicious payload into the search query and have it executed when the results page is loaded.
    2. Persistent DOM-based XSS: This type of vulnerability occurs when user input is stored in the DOM and then displayed to other users without being properly validated or sanitized. For example, if a web application includes a forum feature where users can post messages, an attacker could inject a malicious payload into a message and have it executed whenever the message is displayed to other users.
    3. DOM-based XSS through event handlers: This type of vulnerability occurs when user input is used to set the value of an event handler in the DOM, such as an onclick event. An attacker could inject a malicious payload into the event handler, which would be executed whenever the event is triggered.
    4. DOM-based XSS through JavaScript evaluation: This type of vulnerability occurs when user input is passed to a JavaScript function that evaluates the input as code. An attacker could inject a malicious payload into the user input, which would be executed when the input is evaluated by the function.

     

    Here are some tips for finding DOM-based XSS vulnerabilities:

    1. Look for user input that is used to modify the DOM: Any time user input is used to modify the DOM, there is a potential for DOM-based XSS. This includes cases where user input is used to set the value of a DOM element, create a new DOM element, or modify the attributes of a DOM element.
    2. Test for DOM-based XSS using input that includes special characters: Special characters such as <, >, and & can be used to break out of HTML tags and inject malicious code into the DOM. Try entering special characters into input fields to see if they are properly escaped or encoded.
    3. Use a web application security scanner: There are many tools available that can help you find DOM-based XSS vulnerabilities. These tools work by crawling the web application and looking for areas where user input is used to modify the DOM.
    4. Manually review the client-side code: If you have access to the client-side code of the web application, you can manually review it for potential DOM-based XSS vulnerabilities. Look for areas where user input is used to modify the DOM, and try to identify any areas where input validation is missing or inadequate.
    5. Use a browser extension: There are several browser extensions available that can help you find DOM-based XSS vulnerabilities. These extensions work by highlighting areas of the DOM that are modified by user input, and by providing alerts when malicious input is detected.

     

    Here Are Some Labs to Practice 

    1. DOM-based vulnerabilities  By PortSwigger

    2. DOM-XSS By Attackdefence

    3. Google XSS Game

    4. alert(1) to win

    5. prompt(1) to win

    6. XSS Challenges by yamagata21

    7. XSS Challenges by nopernik

    8. XSS Polyglot Challeng

    9. Vulnweb by Acunetix

    10. OWASP WebGoat Project

    Here Are Some Bug Bounty Reports

    Title: H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing

    Company: Shopify

    Bounty: $5,000

    Link: https://hackerone.com/reports/422043

    Title: Multiple DOMXSS on Amplify Web Player

    Company: Twitter

    Bounty: $2,520

    Link: https://hackerone.com/reports/88719

    Title: Persistent DOM-based XSS in https://help.twitter.com via localStorage

    Company: Twitter

    Bounty: $1,120

    Link: https://hackerone.com/reports/297968

    Title: [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/

    Company: Grab

    Bounty: $200

    Link: https://hackerone.com/reports/248560

    Title: DOM Based XSS in mycrypto.com

    Company: MyCrypto

    Bounty: None

    Link: https://hackerone.com/reports/324303

    Author

    • admin
      admin

      View all posts

    bug bounty bugbounty bugbountytips Cyber-Security dom xss dom-based xss Ethical-Hacking how to find dom-based xss
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleHow to Track Any Devices On Internet
    Next Article Importance of Malware Analysis and Threat Hunting
    admin
    • Website

    Related Posts

    Cyber Security

    Why GRC Services Are Vital for Business Growth and Compliance in 2025

    July 1, 2025
    Cyber Security

    A Comprehensive Guide to Security Compliance

    May 6, 2024
    Cyber Security

    A Comprehensive Guide to APT

    March 10, 2024
    Add A Comment
    Leave A Reply Cancel Reply

    Advertisement
    Top Posts

    How to install waybacksurls in kali linux (2022)

    September 23, 20222,587 Views

    File Upload XSS | Find XSS in a different way while doing Bug bounty and Pentesting

    January 13, 2023897 Views

    OSCP Cheat Sheet

    October 16, 2022854 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Advertisement
    X (Twitter) Instagram LinkedIn WhatsApp Telegram
    • About us
    • Contact Us
    • Privacy Policy
    • Terms
    © 2025 HITH Blog. Powered by Hackerinthehouse.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.