DOM-based XSS
In DOM-based XSS the malicious code is never sent to the server. The injection-point is somewhere where javascript has access.
The typical example of how this works is with URLs.
The user is able to control the URL with the help of the hash-symbol #
. If we add that symbol to a URL the browser will not include that characters that comes after it in the requet to the server.
https://example.com/#this_is_not_sent_to_server
However, the complete URL is included in DOM-objects.
document.URL
# will generate this output: https://example.com/#this_is_not_sent_to_server
Source
So in order to inject and execute a DOM-based XSS we need a injection-point (called source) and a point of execution (called sink).
In the example above document.URL
is our source. Example of other sources are:
document.URL
document.documentURI
document.URLUnencoded (IE 5.5 or later Only)
document.baseURI
location
location.href
location.search
location.hash
location.pathname
window.name
document.referrer
Sinks
eval
setTimeout
setInterval
setImmediate
execScript
crypto.generateCRMFRequest
ScriptElement.src
ScriptElement.text
ScriptElement.textContent
ScriptElement.innerText
anyTag.onEventName
Finding it
To find DOM-based XSS you will need to check out the code.
If the javascript code is bundled and minified you can use js_beautify to make it readble again.
sudo apt-get install libjavascript-beautifier-perl
# then invoke js_beautify
References
https://github.com/wisec/domxsswiki/wiki/location,-documentURI-and-URL-sources