DOM XSS Bootcamp

Master client-side XSS vulnerabilities and their exploitation techniques

Low Difficulty Beginner
Medium Difficulty Intermediate
High Difficulty Advanced

About DOM XSS Vulnerabilities

DOM XSS (Document Object Model Cross-Site Scripting) occurs when JavaScript dynamically modifies the DOM based on user input without proper sanitization. Unlike reflected or stored XSS, DOM XSS vulnerabilities are entirely client-side and often harder to detect.

Common DOM XSS Sources
URL Fragments: window.location.hash and document.location.hash
URL Parameters: window.location.search and URLSearchParams
JSON Data: JSON.parse() and AJAX responses
Window Properties: window.name, document.referrer
Form Inputs: document.getElementById().value and form data
Common Sinks
innerHTML: Direct HTML injection into DOM elements
document.write: Writing content directly to the document
eval(): Executing JavaScript code dynamically
location.href: Redirecting to malicious URLs
setTimeout/setInterval: Executing code with user input
Real-World Impact
Session hijacking and account takeover
Credential theft and phishing attacks
Malware distribution and drive-by downloads
Bypassing client-side security controls
CSRF attacks and privilege escalation