Questions tagged [dom]

53 questions
28
votes
1 answer

Is Dom based XSS still a valid security concern in modern browsers?

I am trying to understand how DOM based XSS work, e.g. from this post, I managed to reproduce it in IE11, but e.g. Chrome and Firefox are immune at least against this exact example. What happens is that document.baseURI and similar objects do return…
Ilya Chernomordik
  • 2,197
  • 1
  • 21
  • 36
11
votes
2 answers

How can document.referrer be used for XSS?

A very simple example...
or I've tried simply sending the request and adding a referrer…
Michael Blake
  • 751
  • 1
  • 12
  • 22
11
votes
1 answer

In what situations can element.setAttribute allow XSS?

Burp has identified a potential DOM XSS vulnerability: The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.href and passed to the 'setAttribute()' function of a DOM element In this example, the…
paj28
  • 32,736
  • 8
  • 92
  • 130
10
votes
1 answer

XSS with escaped equal sign inside jQuery selector

Web-site uses jQuery 1.8.3 which has known XSS vulnerability in selector. (https://snyk.io/vuln/npm:jquery:20120206). It passes filtered and urldecoded document.location.hash (val2 below) value inside…
Alex Velickiy
  • 211
  • 1
  • 5
8
votes
2 answers

How is DOM XSS possible here?

I was looking at this website and trying to understand how this XSS is possible, but I just can't figure it out. Here's the URL: http://www.domxss.com/domxss/01_Basics/05_jquery_html.html?681973661
Michael Blake
  • 751
  • 1
  • 12
  • 22
7
votes
1 answer

Safe to render data directly to DOM from localStorage? XSS attack possible?

I read that localstorage is susceptible to XSS attacks. I currently store JSON Web Token (JWT) in localstorage, and I access and display data about the user through localstorage: var localstore = // localStorage object // On user login, server…
rublex
  • 171
  • 3
7
votes
1 answer

DOM based XSS inside src attribute

I have the following JavaScript code: var url= document.location.href; document.write(""); I am able to inject code when I append e.g. ?b=a'onX=alert(1);' to the URL, but this only works in browsers where…
Noahnder
  • 183
  • 3
6
votes
2 answers

Is this codes usage of document.location.toString() a DOM based XSS vulnerability?

I have come across the following JS code in multiple web applications. I think the reason for the popularity of this code snippet is this accepted answer on SO. Developers seem to be using this code a lot of switching menu tabs: var url =…
Rahil Arora
  • 4,259
  • 2
  • 23
  • 41
5
votes
2 answers

Limiting latter dom-based XSS when setting document.title

Given some JavaScript which modifies the page's title by taking in variable data document.title = someVariable I am looking to address dom based XSS while keeping the title fairly readable. Therefore, doing something like escape() or encodeURI()…
Eric G
  • 9,691
  • 4
  • 31
  • 58
4
votes
2 answers

Exploiting XSS with window.name without iFrame

I know XSS is possible if the window.name is echoed onto the page, but from my understanding, this requires you to use an iFrame, but what if the page has clickjacking protection, stopping the page from being embedded in an iFrame? Is such an attack…
Michael Blake
  • 751
  • 1
  • 12
  • 22
4
votes
0 answers

Is it safe to use DOMParser to parse client side XML files?

Some JavaScript frameworks or libraries use the DOMParser API to parse XML files from the client. Is it safe to do this? Malicious code can easily be embedded into the XML file (in either the definition of nodes or their attributes). Does DOMParser…
Wilt
  • 833
  • 1
  • 9
  • 13
3
votes
1 answer

Dom based Xss Query - location.hash

I was just looking at Dom based xss and wondering if hash value is written to a variable in javascript context can lead to Cross site scripting. The code looks something like this: Is the above…
Sanchit Sharma
  • 331
  • 4
  • 9
3
votes
1 answer

Can location.pathname lead to XSS?

I think that example would work, but anyway, if location.pathname has to be a valid page, can this be exploited? Edit: I'm mainly talking about if the user can't make up…
Michael Blake
  • 751
  • 1
  • 12
  • 22
3
votes
1 answer

Security risks with setDomStorageEnabled(true) in Android?

What are the security risks associated with enabling setDomStorageEnabled(true) method? Reference.
bhartay
  • 89
  • 1
  • 7
2
votes
1 answer

DAST Output in Burp and Understanding It

I have recently upgraded to the newest version of Burp which includes the new DAST tools. I am receiving reports from the tool that it has found DOM-Based Javascript Injection, but I am having troubles digesting the output: Data is read from…
NewDev
  • 384
  • 1
  • 5
1
2 3 4