Cross-site Scripting (XSS) - DOM (CWE-79)


DOM (Document Object Model) is model which treats HTML and XML document as Tree structure.

DOM Based XSS is different form Stored and reflected XSS. In both stored and reflected XSS, Malicious javascript is going in the request, and reflecting from the server and web application is Dynamic. But in DOM-based XSS, It is not the case.

DOM Based XSS occurs when the Application takes user-input and uses the same to modify DOM.

Example 1

Let's say; Website has a welcome page, which has URL as below,

This is a static webpage, which rendered as,

Welcome Rahul

So, if you change URL to

the webpage will be changed to

Welcome Anything

And this is done using, javascript innerHTML function.

So, Attaceker can add malicious script into URL, as<script>alert('DOM XSS')</script>

Example 2

Consider a simple webpage, which can do basic mathematic operations like addition, subtraction, multiplication.

<!DOCTYPE html>
<head><title>DOM XSS : Simple Math Calculator</title></head>
<p id="result"></p>
    var solve = document.URL.split("solve=")[1];
    document.getElementById('result').innerHTML = eval(solve);

When, user visit, Webpage will display result, as 5

So, if you change URL to*7 it will give, 56

So, Attacker can add a malicious script into URL, as

Whatever you give to solve= as a GET parameter is the same as given to Javascript eval() function, which is dangerous here.


Impact of DOM-based XSS will be same as Reflected XSS.


  • Avoid user given data for DOM Modification or redirection.
  • Strict Filters should be applied to user input based on expected input.
  • Prevention methods of Stored/reflected XSS should be considered for preventing DOM-based XSS also, but in client-side code.