In this section, we'll describe DOM-based cross-site scripting (DOM XSS), explain how to find DOM XSS vulnerabilities, and talk about how to exploit DOM XSS with different sources and sinks.

[1] “DOM Based Cross Site Scripting or XSS of the Third Kind” (WASC writeup), Amit Klein, July 2005

Recently I was able to find a DOM based xss in www.figma.com in collaboration with @huli (an awesome ctf player).

July 18, 2022 - DOM XSS is a web application vulnerability that allows attackers to manipulate the DOM environment in a user's browser by injecting malicious client-side code. DOM XSS vulnerabilities are mainly attributed to situations where user-controllable ...

This write-up for the lab DOM XSS using web messages is part of my walk-through series for PortSwigger's Web Security Academy.

The best way to completely avoid DOM-based XSS vulnerabilities in your JavaScript code is to use the correct output method (a safe sink). For example, if you want to write into a <div> element, don’t use innerHtml.

This is a short writeup about a DOM XSS on google.com which I accidentally discovered.

This is because the rule to HTML attribute encode in an HTML attribute rendering context is necessary in order to mitigate attacks which try to exit out of an HTML attributes or try to add additional attributes which could lead to XSS. When you are in a DOM execution context you only need to JavaScript encode HTML attributes which do not execute code (attributes other than event handler, CSS, and URL attributes).

February 19, 2025 - An attacker may use several DOM objects to create a Cross-site Scripting attack. The most popular objects from this perspective are document.url, document.location, and document.referrer. Potential consequences of DOM-based XSS vulnerabilities are classified in the OWASP Top 10 2017 document as moderate.

This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript document.write function, which writes data out to the page.

When researchers don't understand english well, it's inconvenient, but at least it only hurts themselves. When the security team is not good at english, unfortunately it hurts all the researches.

May 6, 2020 - DOM XSS Walkthrough Introduction : I was checking my email and i found a DOM XSS vulnerability that I have reported to a program long time ago which isn’t patched yet , and i thought why not …

November 11, 2025 - DOM sources are JavaScript properties that contain user-controllable data, which attackers can manipulate (typically through the URL). Below is a comprehensive list of all possible entry points for DOM-based XSS attacks:

April 19, 2024 - First Example→DOM XSS in document.write sink using source location.search1) We will search some random string to check where our input is reflected on the next page.2) After clicking on search, we go to the page source.

June 18, 2025 - Search-ready snippet: DOM-based XSS manipulates client-side JavaScript and DOM objects to inject malicious scripts directly in the browser.

This kind of XSS is probably the hardest to find, as you need to look inside the JS code, see if it’s using any object whose value you control, and in that case, see if there is any way to abuse it to execute arbitrary JS. https://github.com/mozilla/eslint-plugin-no-unsanitized · Browser extension to check every data taht reaches a potential sink: https://github.com/kevin-mizu/domloggerpp

February 16, 2025 - The following are some demonstration payloads which can be used to execute JavaScript commands and access DOM elements, such as document.domain and document.cookie:

October 4, 2023 - The first of these two features is the most important for detecting a classic DOM-based XSS. The extension is able to inject a user-defined string into all possible sources or only into the URL. It will then report the sources and sinks where this string is found.

July 6, 2023 - Since this value comes from the user and is not validated or sanitized before use, an attacker could manipulate this value to point to a malicious script on a different server. When the jQuery getScript() function fetches and executes this script, it would run in the context of the user’s session, leading to a DOM-based Cross-Site Scripting (XSS) attack.

This is a short writeup about a DOM XSS on google.com which I accidentally discovered.