DOM-Based XSS
What is DOM-Based XSS?
DOM-Based XSSAn XSS variant where the injection and execution happen entirely in the browser as client-side JavaScript writes untrusted data into a sink without sanitization.
DOM-based XSS (also called Type-0) is a cross-site scripting flaw whose root cause lives entirely in client-side code. A trusted source — for example location.hash, document.referrer, window.name, postMessage, or localStorage — is passed without sanitization into a dangerous DOM sink such as innerHTML, document.write, eval, or jQuery.html. The server never sees the payload, which makes the vulnerability invisible to traditional WAFs and server logs. Defenses include using safe APIs like textContent, leveraging Trusted Types in modern browsers, deploying a strict Content Security Policy, and auditing JavaScript with tools that track tainted-data flow from sources to sinks.
● Examples
- 01
document.getElementById('out').innerHTML = location.hash.substring(1);
- 02
A SPA router using window.location to render unsanitized HTML into a template slot.
● Frequently asked questions
What is DOM-Based XSS?
An XSS variant where the injection and execution happen entirely in the browser as client-side JavaScript writes untrusted data into a sink without sanitization. It belongs to the Attacks & Threats category of cybersecurity.
What does DOM-Based XSS mean?
An XSS variant where the injection and execution happen entirely in the browser as client-side JavaScript writes untrusted data into a sink without sanitization.
How does DOM-Based XSS work?
DOM-based XSS (also called Type-0) is a cross-site scripting flaw whose root cause lives entirely in client-side code. A trusted source — for example location.hash, document.referrer, window.name, postMessage, or localStorage — is passed without sanitization into a dangerous DOM sink such as innerHTML, document.write, eval, or jQuery.html. The server never sees the payload, which makes the vulnerability invisible to traditional WAFs and server logs. Defenses include using safe APIs like textContent, leveraging Trusted Types in modern browsers, deploying a strict Content Security Policy, and auditing JavaScript with tools that track tainted-data flow from sources to sinks.
How do you defend against DOM-Based XSS?
Defences for DOM-Based XSS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DOM-Based XSS?
Common alternative names include: Type-0 XSS, Client-side XSS.
● Related terms
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 1107
Stored XSS
A persistent cross-site scripting flaw where attacker-supplied script is saved on the server and later executed in every visitor's browser.
- attacks№ 912
Reflected XSS
A non-persistent XSS where attacker-controlled input from a request is immediately reflected into the response and executed in the victim's browser.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- vulnerabilities№ 869
Prototype Pollution
A JavaScript vulnerability where untrusted input modifies Object.prototype, injecting properties into every object and changing application behaviour or leading to RCE.
- appsec№ 773
Output Encoding
Transforming untrusted data into a form that is safe for a specific output context — HTML, JavaScript, URL, SQL, shell — so it cannot break out and execute as code.
● See also
- № 104Blind XSS