What is DOM-based XSS?
A DOM-based cross-site scripting (XSS) attack happens when a threat actor modifies the document object model (DOM) environment in the victim’s browser. So, while the HTML itself doesn’t change, the code on the client side executes differently. This type of attack is also sometimes referred to as “type-0 XSS.”
Specifically, the DOM enables JavaScript and other dynamic code to reference document components, such as a session cookie or form field. The DOM also supports security by limiting scripts from different domains from obtaining session cookies for other domains. If an attacker modifies a JavaScript function, a DOM-based XSS vulnerability may occur, enabling the attacker to control the DOM element.
DOM-based XSS Sources
The URL is the most common source for this type of attack. In this instance, the attacker constructs a link to direct the target to a vulnerable web page, embedding the malicious payload in the URL. In order for a DOM-based attack to work, the threat actor must place the malicious code in a sink that supports dynamic code execution. This enables attackers to execute malicious JavaScript.
How does an attack work?
- Threat actor searches for and discovers a DOM-based XSS vulnerability on an organization’s website
- The threat actor builds malicious code that redirects the URL to the new target.
- A customer or client of the organization clicks on the malicious URL
- The victim’s browser sends a request to the organization’s now-vulnerable site.
- The organization’s web server responds with the requested web page, triggering the malicious script.
- The victim’s browser now renders the web page that contains the malicious XSS script.
How to test for DOM-based XSS
To manually test for this type of attack, software engineers or application security professionals need a browser with developer tools. When done manually, developers or security staff must test each source individually. Fortunately, automated monitoring and inspection solutions speed up the process to quickly identify unauthorized DOM-based activity.
How do DOM-based XSS vulnerabilities happen?
Vulnerabilities often occur from the use of dynamic JavaScript components, like eval() and innerHTML.
How to prevent an attack
These types of attacks can’t be detected using traditional server-side security tools, because the malicious code never makes it over to the server. Instead it remains on the client side. JavaScript security is an essential component to protect against these types of attacks. To prevent DOM XSS, organizations should:
- Automated monitoring and inspection: Use automated monitoring and inspection solutions to regularly review client-side JavaScript code. A purpose-built client-side solution that automates the process can be a fast and easy way to identify DOM-based XSS activity.
- Audit web assets: Inventory your web assets and know the type of data they hold. Look for vulnerable scripts and any signs of manipulation.
- Regularly scan the client side: Regularly conduct deep-dive analysis into client-side applications and software to reveal intrusions, behavioral anomalies, and unknown threats.
- Sanitize client-side code: Inspect references to DOM objects to see if they contain any malicious code.
