What is DOM?
Example for DOM based XSS Attack
Normally, Web page looks like the link attached below.
The web page below has an XSS tag induced in it.
After the XSS code is injected in the webpage, then it is easy to exploit using DOM based XSS to steal the cookies from the user browser and you can change the web application however you want.
🡪The main rule that you must do to prevent DOM XSS is sanitizing the untrusted data.
🡪DOM XSS attacks are hard to find from the server-side, because malicious links do not reach the server side. So, It occurs mainly on the client side.
🡪The only difference is that in the case of DOM XSS when compared to reflected/stored based XSS is, you must review and sanitize client-side code, not server-side code.
🡪Avoid using data received from the client-side for sensitive actions.
🡪Sanitize client-side code by checking DOM objects that pose a threat, for example, URL, location, and referrer. This is especially important if DOM can be modified.
🡪If you want to use user input on your webpage then use only “text” format, do use the HTML tags.
🡪Avoid using methods like document.innerHTML and document.textContent
🡪This type of user input will affect DOM elements in document.url and document.location.
🡪The application might be vulnerable for both reflected/stored XSS and DOM XSS.
🡪The given below link is find the DOM based XSS prevention cheat sheet.
Shiva Ram Krishna
Security Enthusiast, Constant Learner & Cyber Security Blogger