How To Find DOM-based XSS Vulnerability

Posted by By admin 6 Min Read

What is DOM XSS

DOM-based XSS, in particular, is a type of XSS that occurs when the vulnerability is in the client-side code of the web application, rather than on the server-side. This means that the malicious code is injected into the Document Object Model (DOM) of the web page, rather than being sent to the server as part of a request.

Finding DOM-based XSS vulnerabilities can be a bit more challenging than finding server-side XSS vulnerabilities, because the malicious code is not sent to the server and there is no server-side input validation to detect it. However, there are still some steps you can take to find DOM-based XSS vulnerabilities in a web application.

There are several types of DOM-based XSS vulnerabilities that can occur in a web application. Some common types of DOM-based XSS include:

  1. Reflected DOM-based XSS: This type of vulnerability occurs when user input is reflected in the DOM without being properly validated or sanitized. For example, if a web application includes a search feature that displays the search query in the results page, an attacker could inject a malicious payload into the search query and have it executed when the results page is loaded.
  2. Persistent DOM-based XSS: This type of vulnerability occurs when user input is stored in the DOM and then displayed to other users without being properly validated or sanitized. For example, if a web application includes a forum feature where users can post messages, an attacker could inject a malicious payload into a message and have it executed whenever the message is displayed to other users.
  3. DOM-based XSS through event handlers: This type of vulnerability occurs when user input is used to set the value of an event handler in the DOM, such as an onclick event. An attacker could inject a malicious payload into the event handler, which would be executed whenever the event is triggered.
  4. DOM-based XSS through JavaScript evaluation: This type of vulnerability occurs when user input is passed to a JavaScript function that evaluates the input as code. An attacker could inject a malicious payload into the user input, which would be executed when the input is evaluated by the function.

 

Here are some tips for finding DOM-based XSS vulnerabilities:

  1. Look for user input that is used to modify the DOM: Any time user input is used to modify the DOM, there is a potential for DOM-based XSS. This includes cases where user input is used to set the value of a DOM element, create a new DOM element, or modify the attributes of a DOM element.
  2. Test for DOM-based XSS using input that includes special characters: Special characters such as <, >, and & can be used to break out of HTML tags and inject malicious code into the DOM. Try entering special characters into input fields to see if they are properly escaped or encoded.
  3. Use a web application security scanner: There are many tools available that can help you find DOM-based XSS vulnerabilities. These tools work by crawling the web application and looking for areas where user input is used to modify the DOM.
  4. Manually review the client-side code: If you have access to the client-side code of the web application, you can manually review it for potential DOM-based XSS vulnerabilities. Look for areas where user input is used to modify the DOM, and try to identify any areas where input validation is missing or inadequate.
  5. Use a browser extension: There are several browser extensions available that can help you find DOM-based XSS vulnerabilities. These extensions work by highlighting areas of the DOM that are modified by user input, and by providing alerts when malicious input is detected.

 

Here Are Some Labs to Practice 

1. DOM-based vulnerabilities  By PortSwigger

2. DOM-XSS By Attackdefence

3. Google XSS Game

4. alert(1) to win

5. prompt(1) to win

6. XSS Challenges by yamagata21

7. XSS Challenges by nopernik

8. XSS Polyglot Challeng

9. Vulnweb by Acunetix

10. OWASP WebGoat Project

Here Are Some Bug Bounty Reports

Title: H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing

Company: Shopify

Bounty: $5,000

Link: https://hackerone.com/reports/422043

Title: Multiple DOMXSS on Amplify Web Player

Company: Twitter

Bounty: $2,520

Link: https://hackerone.com/reports/88719

Title: Persistent DOM-based XSS in https://help.twitter.com via localStorage

Company: Twitter

Bounty: $1,120

Link: https://hackerone.com/reports/297968

Title: [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/

Company: Grab

Bounty: $200

Link: https://hackerone.com/reports/248560

Title: DOM Based XSS in mycrypto.com

Company: MyCrypto

Bounty: None

Link: https://hackerone.com/reports/324303

Tags: