Cross-site Scripting (DOM based)

  • CWE 79
  • PCI 3.2-6.5.7
  • CAPEC 19
  • WASC 8
  • OWASP 2017-A7

DOM based Cross-Site Scripting (XSS) vulnerability arises when the DOM is used to generate dynamic content containing user controllable input. This kind of attack is carried out with JavaScript in the user's browser.

In contrast to other cross-site scripting vulnerabilities (e.g, Reflected XSS), the code is not embedded on the server side, but rather on the client side. This means that the payload cannot be found in the response code. The vulnerability can therefore only be detected at runtime or by checking the website's DOM.

The malicious script can perform a wide variety of actions, such as stealing cookies, session tokens, logging keystrokes or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Each browser implements the DOM standard differently. This can affect whether a specific DOM XSS attack works in a particular browser.

Note: Chromium based browser is used during the tests so that the reported issue should work at least on Chrome.


The first and most important recommendation is to avoid using user-controlled data for the dynamic generation of content whenever possible. If this is completely unavoidable, the best way to prevent DOM based XSS is to use secure output methods (sink) that prevent the execution of any maliciously embedded code such as element.textContent rather than element.innerHTML