In this section, we'll describe DOM-based cross-site scripting (DOM XSS), explain how to find DOM XSS vulnerabilities, and talk about how to exploit DOM XSS with different sources and sinks.

[1] “DOM Based Cross Site Scripting or XSS of the Third Kind” (WASC writeup), Amit Klein, July 2005

Recently I was able to find a DOM based xss in www.figma.com in collaboration with @huli (an awesome ctf player).

This write-up for the lab DOM XSS using web messages is part of my walk-through series for PortSwigger's Web Security Academy.

This is because the rule to HTML attribute encode in an HTML attribute rendering context is necessary in order to mitigate attacks which try to exit out of an HTML attributes or try to add additional attributes which could lead to XSS. When you are in a DOM execution context you only need to JavaScript encode HTML attributes which do not execute code (attributes other than event handler, CSS, and URL attributes).

This is a short writeup about a DOM XSS on google.com which I accidentally discovered.

The best way to completely avoid DOM-based XSS vulnerabilities in your JavaScript code is to use the correct output method (a safe sink). For example, if you want to write into a <div> element, don’t use innerHtml.

July 18, 2022 - DOM XSS is a web application vulnerability that allows attackers to manipulate the DOM environment in a user's browser by injecting malicious client-side code. DOM XSS vulnerabilities are mainly attributed to situations where user-controllable ...

February 19, 2025 - An attacker may use several DOM objects to create a Cross-site Scripting attack. The most popular objects from this perspective are document.url, document.location, and document.referrer. Potential consequences of DOM-based XSS vulnerabilities are classified in the OWASP Top 10 2017 document as moderate.

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page.

As discussed earlier, this is because jQuery patched the vulnerability but exploitation is still viable. In the example below, the src attribute points to the vulnerable page with an empty hash value. When the iframe is loaded, an XSS vector is appended to the hash, causing the hashchange event to fire

November 11, 2025 - DOM sources are JavaScript properties that contain user-controllable data, which attackers can manipulate (typically through the URL). Below is a comprehensive list of all possible entry points for DOM-based XSS attacks:

When researchers don't understand english well, it's inconvenient, but at least it only hurts themselves. When the security team is not good at english, unfortunately it hurts all the researches.

May 6, 2020 - DOM XSS Walkthrough Introduction : I was checking my email and i found a DOM XSS vulnerability that I have reported to a program long time ago which isn’t patched yet , and i thought why not …

So in order to execute my payload, I can terminate the string and json structure, append a function call and finish off with ignoring what comes next: \"}+alert(document.domain);//. This results in the following response

April 19, 2024 - First Example→DOM XSS in document.write sink using source location.search1) We will search some random string to check where our input is reflected on the next page.2) After clicking on search, we go to the page source.

This kind of XSS is probably the hardest to find, as you need to look inside the JS code, see if it’s using any object whose value you control, and in that case, see if there is any way to abuse it to execute arbitrary JS. https://github.com/mozilla/eslint-plugin-no-unsanitized · Browser extension to check every data taht reaches a potential sink: https://github.com/kevin-mizu/domloggerpp

June 18, 2025 - Search-ready snippet: DOM-based XSS manipulates client-side JavaScript and DOM objects to inject malicious scripts directly in the browser.

February 16, 2025 - The following are some demonstration payloads which can be used to execute JavaScript commands and access DOM elements, such as document.domain and document.cookie:

October 4, 2023 - The first of these two features is the most important for detecting a classic DOM-based XSS. The extension is able to inject a user-defined string into all possible sources or only into the URL. It will then report the sources and sinks where this string is found.