Document Object Model Based Cross Site Scripting

OWASP 2013-A3 OWASP 2017-A7 OWASP 2021-A3 PCI v3.2-6.5.7 OWASP PC-C4 CAPEC-19 CWE-79 HIPAA-164.308(a) ISO27001-A.14.2.5 WASC-08 WSTG-CLNT-01

Cross-Site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application. Document Object Model based Cross Site Scripting is a type of Cross Site Scripting attack. This attack is encountered when a web application’s client-side scripts write user-provided information to the Document Object Model. The data is read using the Document Object Model. It is then outputted to the browser. If the information is incorrectly handled, an attacker can inject a payload as part of the Document Object Model. The payload is executed when the data is read as a response from the Document Object Model.

If a web application is found that allows Document Object Model-Based Cross Site Scripting, the application’s Document Object Model might contain several vulnerable files that the attacker can manipulate in order to generate the Cross Site Scripting conditions.


The following code is used to creating a form to let the user choose his/her country.

        Select your country:
        document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
        document.write("<OPTION value=2>Armenia</OPTION>");


The page is requested with the below URL:

A DOM-Based XSS can be against this page can be perforated by an attacker by sending the following URL to a victim:-<script>alert(document.cookie)</script>


The above URL will alert the cookie.

The Javascript code present in a page doesn’t expect the default parameter to contain HTML markup. The script merely echoes the HTML tag into the page (DOM) at runtime. The browser then renders the page and executes the attacker’s script.


Using this vulnerability, an attacker can:-

  • execute malicious code to the user.
  • make the web application unstable.
  • execute remote commands.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Avoid client-side sensitive actions like rewriting or redirection using client-side data.
  • Apply a proper authentication on the client side code.
  • Implement an intrusion prevention systems in the server.
  • Avoid including untrusted data in this context.
  • Escape the JavaScript code before inserting untrusted data into the HTML Attribute Subcontext.
  • Implement URL escape before Inserting Untrusted Data into URL Attribute Subcontext.

Latest Articles