hacktricks/pentesting-web/xss-cross-site-scripting/dom-xss.md

# DOM XSS

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## DOM Vulnerabilities

Vikosi vya DOM vinatokea wakati data kutoka kwa **vyanzo** vinavyodhibitiwa na mshambuliaji (kama `location.search`, `document.referrer`, au `document.cookie`) inahamishwa kwa usalama kwenda **sinks**. Sinks ni kazi au vitu (mfano, `eval()`, `document.body.innerHTML`) ambavyo vinaweza kutekeleza au kuonyesha maudhui hatari ikiwa vitapewa data mbaya.

* **Vyanzo** ni ingizo ambalo linaweza kubadilishwa na washambuliaji, ikiwa ni pamoja na URLs, cookies, na ujumbe wa wavuti.
* **Sinks** ni maeneo hatari ambapo data mbaya inaweza kusababisha athari mbaya, kama vile utekelezaji wa script.

Hatari inatokea wakati data inatiririka kutoka chanzo hadi sink bila uthibitisho au usafi sahihi, ikiruhusu mashambulizi kama XSS.

{% hint style="info" %}
**You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)
{% endhint %}

**Vyanzo vya kawaida:**
```javascript
document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database
```
**Common Sinks:**

| [**Open Redirect**](dom-xss.md#open-redirect)                                    | [**Javascript Injection**](dom-xss.md#javascript-injection)                         | [**DOM-data manipulation**](dom-xss.md#dom-data-manipulation) | **jQuery**                                                             |
| -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------- |
| `location`                                                                       | `eval()`                                                                            | `scriptElement.src`                                           | `add()`                                                                |
| `location.host`                                                                  | `Function() constructor`                                                            | `scriptElement.text`                                          | `after()`                                                              |
| `location.hostname`                                                              | `setTimeout()`                                                                      | `scriptElement.textContent`                                   | `append()`                                                             |
| `location.href`                                                                  | `setInterval()`                                                                     | `scriptElement.innerText`                                     | `animate()`                                                            |
| `location.pathname`                                                              | `setImmediate()`                                                                    | `someDOMElement.setAttribute()`                               | `insertAfter()`                                                        |
| `location.search`                                                                | `execCommand()`                                                                     | `someDOMElement.search`                                       | `insertBefore()`                                                       |
| `location.protocol`                                                              | `execScript()`                                                                      | `someDOMElement.text`                                         | `before()`                                                             |
| `location.assign()`                                                              | `msSetImmediate()`                                                                  | `someDOMElement.textContent`                                  | `html()`                                                               |
| `location.replace()`                                                             | `range.createContextualFragment()`                                                  | `someDOMElement.innerText`                                    | `prepend()`                                                            |
| `open()`                                                                         | `crypto.generateCRMFRequest()`                                                      | `someDOMElement.outerText`                                    | `replaceAll()`                                                         |
| `domElem.srcdoc`                                                                 | **\`\`**[**Local file-path manipulation**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value`                                        | `replaceWith()`                                                        |
| `XMLHttpRequest.open()`                                                          | `FileReader.readAsArrayBuffer()`                                                    | `someDOMElement.name`                                         | `wrap()`                                                               |
| `XMLHttpRequest.send()`                                                          | `FileReader.readAsBinaryString()`                                                   | `someDOMElement.target`                                       | `wrapInner()`                                                          |
| `jQuery.ajax()`                                                                  | `FileReader.readAsDataURL()`                                                        | `someDOMElement.method`                                       | `wrapAll()`                                                            |
| `$.ajax()`                                                                       | `FileReader.readAsText()`                                                           | `someDOMElement.type`                                         | `has()`                                                                |
| **\`\`**[**Ajax request manipulation**](dom-xss.md#ajax-request-manipulation)    | `FileReader.readAsFile()`                                                           | `someDOMElement.backgroundImage`                              | `constructor()`                                                        |
| `XMLHttpRequest.setRequestHeader()`                                              | `FileReader.root.getFile()`                                                         | `someDOMElement.cssText`                                      | `init()`                                                               |
| `XMLHttpRequest.open()`                                                          | `FileReader.root.getFile()`                                                         | `someDOMElement.codebase`                                     | `index()`                                                              |
| `XMLHttpRequest.send()`                                                          | [**Link manipulation**](dom-xss.md#link-manipulation)                               | `someDOMElement.innerHTML`                                    | `jQuery.parseHTML()`                                                   |
| `jQuery.globalEval()`                                                            | `someDOMElement.href`                                                               | `someDOMElement.outerHTML`                                    | `$.parseHTML()`                                                        |
| `$.globalEval()`                                                                 | `someDOMElement.src`                                                                | `someDOMElement.insertAdjacentHTML`                           | [**Client-side JSON injection**](dom-xss.md#client-side-sql-injection) |
| **\`\`**[**HTML5-storage manipulation**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action`                                                             | `someDOMElement.onevent`                                      | `JSON.parse()`                                                         |
| `sessionStorage.setItem()`                                                       | [**XPath injection**](dom-xss.md#xpath-injection)                                   | `document.write()`                                            | `jQuery.parseJSON()`                                                   |
| `localStorage.setItem()`                                                         | `document.evaluate()`                                                               | `document.writeln()`                                          | `$.parseJSON()`                                                        |
| **``**[**`Denial of Service`**](dom-xss.md#denial-of-service)**``**              | `someDOMElement.evaluate()`                                                         | `document.title`                                              | **\`\`**[**Cookie manipulation**](dom-xss.md#cookie-manipulation)      |
| `requestFileSystem()`                                                            | **\`\`**[**Document-domain manipulation**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()`                | `document.cookie`                                                      |
| `RegExp()`                                                                       | `document.domain`                                                                   | `history.pushState()`                                         | [**WebSocket-URL poisoning**](dom-xss.md#websocket-url-poisoning)      |
| [**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection)            | [**Web-message manipulation**](dom-xss.md#web-message-manipulation)                 | `history.replaceState()`                                      | `WebSocket`                                                            |
| `executeSql()`                                                                   | `postMessage()`                                                                     | \`\`                                                          | \`\`                                                                   |

The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.

This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using** any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS.

## Tools to find them

* [https://github.com/mozilla/eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized)
* Browser extension to check every data that reaches a potential sink: [https://github.com/kevin-mizu/domloggerpp](https://github.com/kevin-mizu/domloggerpp)

## Examples

### Open Redirect

From: [https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)

**Open redirect vulnerabilities in the DOM** occur when a script writes data, which an attacker can control, into a sink capable of initiating navigation across domains.

It's crucial to understand that executing arbitrary code, such as **`javascript:alert(1)`**, is possible if you have control over the start of the URL where the redirection occurs.

Sinks:
```javascript
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()
```
### Cookie manipulation

From: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)

Vikosi vya usalama vya cookie vinavyotokana na DOM vinatokea wakati script inajumuisha data, ambayo inaweza kudhibitiwa na mshambuliaji, katika thamani ya cookie. Uthibitisho huu unaweza kusababisha tabia isiyotarajiwa ya ukurasa wa wavuti ikiwa cookie itatumika ndani ya tovuti. Zaidi ya hayo, inaweza kutumika kutekeleza shambulio la fixation ya kikao ikiwa cookie inahusishwa na kufuatilia vikao vya watumiaji. Kichimbaji kikuu kinachohusishwa na uthibitisho huu ni:

Sinks:
```javascript
document.cookie
```
### JavaScript Injection

From: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)

Vikosi vya kuingiza JavaScript vinavyotokana na DOM vinaundwa wakati script inapoendesha data, ambayo inaweza kudhibitiwa na mshambuliaji, kama msimbo wa JavaScript.

Sinks:
```javascript
eval()
Function() constructor
setTimeout()
setInterval()
setImmediate()
execCommand()
execScript()
msSetImmediate()
range.createContextualFragment()
crypto.generateCRMFRequest()
```
### Document-domain manipulation

From: [https://portswigger.net/web-security/dom-based/document-domain-manipulation](https://portswigger.net/web-security/dom-based/document-domain-manipulation)

**Vulnerabilities za document-domain manipulation** hutokea wakati script inapoweka mali ya `document.domain` kwa kutumia data ambayo mshambuliaji anaweza kudhibiti.

Mali ya `document.domain` ina **jukumu muhimu** katika **utekelezaji** wa **sera ya asili sawa** na vivinjari. Wakati kurasa mbili kutoka asili tofauti zinapoweka `document.domain` yao kwa **thamani sawa**, zinaweza kuingiliana bila vizuizi. Ingawa vivinjari vinaweka **mipaka** fulani kwenye thamani zinazoweza kuwekwa kwa `document.domain`, kuzuia uwekaji wa thamani zisizohusiana kabisa na asili halisi ya ukurasa, kuna visamaha. Kawaida, vivinjari vinaruhusu matumizi ya **domain za mtoto** au **domain za mzazi**.

Sinks:
```javascript
document.domain
```
### WebSocket-URL poisoning

From: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)

**WebSocket-URL poisoning** hutokea wakati script inatumia **data zinazoweza kudhibitiwa kama URL ya lengo** kwa ajili ya muunganisho wa WebSocket.

Sinks:

Mjenzi wa `WebSocket` unaweza kusababisha udhaifu wa WebSocket-URL poisoning.

### Link manipulation

From: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)

**Udhaifu wa DOM-based link-manipulation** unatokea wakati script inaandika **data zinazoweza kudhibitiwa na mshambuliaji kwenye lengo la urambazaji** ndani ya ukurasa wa sasa, kama vile kiungo kinachoweza kubofywabofya au URL ya kuwasilisha ya fomu.

Sinks:
```javascript
someDOMElement.href
someDOMElement.src
someDOMElement.action
```
### Ajax request manipulation

From: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)

**Vulnerabilities za uendeshaji wa ombi la Ajax** zinatokea wakati script inaandika **data inayoweza kudhibitiwa na mshambuliaji katika ombi la Ajax** ambalo linatolewa kwa kutumia `XmlHttpRequest` object.

Sinks:
```javascript
XMLHttpRequest.setRequestHeader()
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.globalEval()
$.globalEval()
```
### Local file-path manipulation

From: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)

**Vulnerabilities za usimamizi wa njia za faili za ndani** zinatokea wakati script inapopita **data inayoweza kudhibitiwa na mshambuliaji kwa API ya usimamizi wa faili** kama parameter ya `filename`. Vulnerability hii inaweza kutumika na mshambuliaji kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kusababisha **kuvunjika au kuandika faili la ndani la kiholela** kwenye kivinjari cha mtumiaji.

Sinks:
```javascript
FileReader.readAsArrayBuffer()
FileReader.readAsBinaryString()
FileReader.readAsDataURL()
FileReader.readAsText()
FileReader.readAsFile()
FileReader.root.getFile()
FileReader.root.getFile()
```
### Client-Side SQl injection

From: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)

**Vikosi vya SQL-injection upande wa mteja** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika ombi la SQL upande wa mteja kwa njia isiyo salama**.

Sinks:
```javascript
executeSql()
```
### HTML5-storage manipulation

From: [https://portswigger.net/web-security/dom-based/html5-storage-manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation)

**Vulnerabilities za HTML5-storage manipulation** zinatokea wakati script **inaweka data inayoweza kudhibitiwa na mshambuliaji katika hifadhi ya HTML5 ya kivinjari cha wavuti** (`localStorage` au `sessionStorage`). Ingawa hatua hii si kasoro ya usalama kwa asili, inakuwa tatizo ikiwa programu itasoma **data iliyohifadhiwa na kuiprocess kwa njia isiyo salama**. Hii inaweza kumruhusu mshambuliaji kutumia mekanizma ya hifadhi kufanya mashambulizi mengine ya msingi wa DOM, kama vile cross-site scripting na JavaScript injection.

Sinks:
```javascript
sessionStorage.setItem()
localStorage.setItem()
```
### XPath injection

From: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)

**Vikosi vya XPath-injection vinavyotokana na DOM** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika ombi la XPath**.

Sinks:
```javascript
document.evaluate()
someDOMElement.evaluate()
```
### Client-side JSON injection

From: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)

**Vikosi vya JSON-injection vinavyotokana na DOM** hutokea wakati script inajumuisha **data inayoweza kudhibitiwa na mshambuliaji katika mfuatano ambao unachambuliwa kama muundo wa data wa JSON na kisha kushughulikiwa na programu**.

Sinks:
```javascript
JSON.parse()
jQuery.parseJSON()
$.parseJSON()
```
### Web-message manipulation

From: [https://portswigger.net/web-security/dom-based/web-message-manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation)

**Vulnerabilities za ujumbe wa wavuti** zinatokea wakati script inatuma **data inayoweza kudhibitiwa na mshambuliaji kama ujumbe wa wavuti kwa hati nyingine** ndani ya kivinjari. **Mfano** wa udanganyifu wa ujumbe wa wavuti unaweza kupatikana katika [Akademia ya Usalama wa Wavuti ya PortSwigger](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source).

Sinks:

Njia ya `postMessage()` ya kutuma ujumbe wa wavuti inaweza kusababisha udhaifu ikiwa msikilizaji wa tukio la kupokea ujumbe unashughulikia data inayokuja kwa njia isiyo salama.

### DOM-data manipulation

From: [https://portswigger.net/web-security/dom-based/dom-data-manipulation](https://portswigger.net/web-security/dom-based/dom-data-manipulation)

**Vulnerabilities za udanganyifu wa data ya DOM** zinatokea wakati script inaandika **data inayoweza kudhibitiwa na mshambuliaji kwenye uwanja ndani ya DOM** ambayo inatumika ndani ya UI inayoonekana au mantiki ya upande wa mteja. Udhaifu huu unaweza kutumiwa na mshambuliaji kujenga URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kubadilisha muonekano au tabia ya UI ya upande wa mteja.

Sinks:
```javascript
scriptElement.src
scriptElement.text
scriptElement.textContent
scriptElement.innerText
someDOMElement.setAttribute()
someDOMElement.search
someDOMElement.text
someDOMElement.textContent
someDOMElement.innerText
someDOMElement.outerText
someDOMElement.value
someDOMElement.name
someDOMElement.target
someDOMElement.method
someDOMElement.type
someDOMElement.backgroundImage
someDOMElement.cssText
someDOMElement.codebase
document.title
document.implementation.createHTMLDocument()
history.pushState()
history.replaceState()
```
### Denial of Service

From: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)

**Vulnerabilities za denial-of-service zinazotokana na DOM** hutokea wakati script inapopita **data inayoweza kudhibitiwa na mshambuliaji kwa njia isiyo salama kwa API ya jukwaa yenye matatizo**. Hii inajumuisha APIs ambazo, zinapoitwa, zinaweza kusababisha kompyuta ya mtumiaji kutumia **kiasi kikubwa cha CPU au nafasi ya diski**. Vulnerabilities kama hizi zinaweza kuwa na athari kubwa, kama vile kivinjari kuzuia utendaji wa tovuti kwa kukataa juhudi za kuhifadhi data katika `localStorage` au kumaliza scripts zinazoshughulika. 

Sinks:
```javascript
requestFileSystem()
RegExp()
```
## Dom Clobbering

{% content-ref url="dom-clobbering.md" %}
[dom-clobbering.md](dom-clobbering.md)
{% endcontent-ref %}

{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}