DOM-Based Cross-Site Scripting (DXSS)



DOM-based XSS (also known as DOM XSS or type-0 XSS ) arises when an application contains some client-side JavaScript that's being executed as a result of modifying the DOM “environment” in the victim’s browser by passing malicious JavaScript payload to a sink that supports dynamic code execution, such as `eval()` or `innerHTML`. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.

Attack Scenario

If the attacker can control the value of the input field Source, they can easily construct a malicious value that causes their script via Sink to execute, allowing the attacker to deliver an attack using a malicious URL, in the same manner as reflected XSS.


You should avoid allowing data from any untrusted source to dynamically alter the value that is transmitted to any sink.

If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code such as :

  • The relevant data can be validated on a whitelist basis, only allowing content that is known to be safe.
  • It will be necessary to sanitize or encode the data.

ID: 20004