Prerequisites

To understand this whole article, you will need:

  • Knowing how to code in HTML
  • Know the basics of Javascript
  • Know what an XSS is (see my article on XSS if needed)
  • What is the DOM?

    The Document Object Model (DOM) is a programming interface standardized by the W3C, which allows scripts to examine and modify the content of the web browser. You can use the DOM to change the color of the text when a button is clicked, or to make certain parts of the page visible or invisible depending on user actions.

    The DOM is represented by the document variable.

    Definition

    DOM-based XSS takes place when user input is put directly into the JavaScript code of a page. This injection is therefore done without going through html tags.

    Exploit

    For example, consider a page that takes user input and multiplies it by 10.

    Here is the code page:

    <script>
    var number = <user input>;
    
    var result = number * 10;
    
    console.log('The result is' + result);
    
    </script>
    

    Here the variable number stores the user input which will be multiplied by 10 thereafter. The problem with this script is that if we enter something other than a number, for example `` hello ‘’, we will have the undefined error in the console. This means that our input is interpreted as JavaScript code.

    We can therefore enter a function that will be called by the variable, for example alert(). From there you can easily redirect and steal cookies from other users. :)

    Tips for DOM Based XSS

    Look at the rendering of your entry on the source code.

    On this kind of vulnerability, we have the possibility to visualize our actions and the repercussions they have. For example, check that quotes have been escaped.

    Watch the errors displayed on your browser console.

    Errors make it possible to understand a lot of things about the code, and often in this kind of XSS errors are a good sign! It means that we managed to get things done on the site that weren’t originally planned. Watching for errors is therefore essential.