DOM-XSS (Document Object Model-based cross-site scripting)
Vulnerability Name: DOM based cross-site scripting on [Parameter] at [Domain name]
Vulnerability Description: DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.

[Don't forget to add your vulnerability description, the one given above is general description]

Payload: [Malicious payload]
Steps to Reproduce: (Please change the steps according to the scenarios)
  1. 1.
    Go to the [URL].
  2. 2.
    Add the given payload in the Vulnerable [Parameter]
  3. 3.
    Reload the page.
  4. 4.
    You should get an alert with the domain name.
  5. 5.
    This is Dom based cross-site scripting.
Proof-of-concept: Snapshots or video link attached.
Impact:
  1. 1.
    Gain access to users cookies, session IDs, passwords, private messages, etc
  2. 2.
    Read and access the content of a page for any attacked user and therefore all the information displayed to the user
  3. 3.
    Compromise the content shown to the user
Attack Scenario: Here in the above vulnerability the attacker might create a malicious payload which fetch's the session id of the user whoever clicks on the link, and pass that information to the attacker's server, this can lead to a session hijacking or account takeover on that domain.

[The above was a basic attack scenario you need to alter it according to the Workflow]

Remediation: To keep yourself safe from XSS, you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.
  1. 1.
    Filter input on arrival.
  2. 2.
    Encode data on output.
  3. 3.
    Use appropriate response headers.
  4. 4.
    Content Security Policy.
Copy link
On this page