Security Knowledge Base
Learn about web security vulnerabilities and how to prevent them
Vulnerability Types
Cross-Site Scripting Guide
DOM-based Cross-Site Scripting (XSS)
DOM-based XSS occurs when user input is processed by client-side JavaScript and written to the DOM without proper validation or encoding.
High Risk
A03:2021 – Injection
CWE-79: Cross-site Scripting
Security Impact
Potential Impact
Execute arbitrary JavaScript code in victim's browser
Steal session cookies and authentication tokens
Perform actions on behalf of the victim
Redirect users to malicious websites
Modify page content to display false information
Prevention Methods
Prevention
Validate and sanitize all user inputs on both client and server side
Use textContent instead of innerHTML when possible
Implement Content Security Policy (CSP) headers
Encode special characters before inserting into DOM
Use modern frameworks with built-in XSS protection
Code Examples
Implementation Examples
javascript⚠️ VULNERABLE
// VULNERABLE - Direct DOM manipulation
const userInput = new URLSearchParams(location.search).get('name');
document.getElementById('welcome').innerHTML = 'Hello ' + userInput;
// VULNERABLE - Using eval with user data
const userData = location.hash.substring(1);
eval(userData);Real-world Cases
Notable Security Incidents
Facebook Messenger XSS via file upload (2016)
Google Search XSS through URL parameters (2015)
Twitter XSS via tweet composition (2014)
YouTube XSS through video descriptions (2013)