DOM-based
Identify potential sources of user input:
Look for URL parameters, form inputs, or fragments (
#fragment
) that the page processes dynamically using JavaScript.Use browser developer tools to inspect how JavaScript interacts with the DOM. Look for dangerous methods like
innerHTML
,document.write()
,eval()
, or similar.
Test for input reflection:
Modify input that is passed through URL parameters or fragments to see if it appears on the page without proper encoding or sanitization. For example:
https://example.com/page.html?param=<script>alert('XSS')</script>
https://example.com/page.html#<script>alert('XSS')</script>
Probe with harmless scripts:
Start by injecting simple, non-malicious scripts like
<img src=x onerror=alert(1)>
to check whether the browser executes your code. If the alert box appears, it’s a sign the input is not properly sanitized.
Explore execution context:
Investigate where your input is reflected in the DOM. Sometimes the payload might be reflected in HTML, but within a
script
block or as part of an event handler, likeonmouseover
, making the context important.
Craft final exploit:
If the injection point allows it, create a malicious payload that achieves your goal, such as stealing cookies, redirecting the user, or logging keystrokes.
Deliver the payload via a URL or other input method to trigger the exploit.
Common attack vectors:
URL parameters or fragment identifiers (
#fragment
).Insecure client-side JavaScript that processes user-controlled data directly.
Post message listener:
Post message innerHTML:
Post message JSON:
Angular ng-app
Using functions inside angular scope, rember about () at the end that run new constructed fn
document.write, accepts script like:
eval input
cookie manipulation
cookie based on last url, redirect on home page after loading payload(malicious page is saved as cookie)
When the iframe
loads for the first time, the browser temporarily opens the malicious URL, which is then saved as the value of the lastViewedProduct
cookie. The onload
event handler ensures that the victim is then immediately redirected to the home page, unaware that this manipulation ever took place. While the victim's browser has the poisoned cookie saved, loading the home page will cause the payload to execute.
Last updated