DOM stands for Document Object Model, and it is the data representation of the objects that make the structure of a document of a website.

‍

DOM based XSS, like previously mentioned in reflective XSS, is a result of improper management of HTML input and output. However, unlike reflective XSS, DOM based XSS is not going to be targeted using HTTP requests with an immediate response presenting the payload. Instead, DOM based XSS attack vectors exist when an application contains some client-side JavaScript that will process data from an untrusted source, and generally result in the writing of data back into the DOM. Although DOM based XSS is a different type of XSS it’s still targeting the end user.

‍

As such, an application with a URL of

www.northgreen-insecuresite.com/index.html?profile=developer

that displays different content based on the profile value may be vulnerable to DOM Cross-Site Scripting.

When a user requests the above URL the following steps take place:

• The user requests the page index.html
• The browser creates a DOM object for the page and populates the document.location object with the URL
• The JavaScript code in the page echoes the profile parameter into the DOM at runtime and renders the page

To turn this into a malicious request, an attacker may provide a URL of

www.northgreen-insecuresite.com/index.html?profile=#<script>alert(1)</script>

The payload within the profile parameter will not be sent to the server but will be loaded into the DOM at run time and will execute in a user’s browser.

‍