Dom-Based XSS

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.




Taking actions on user's behalf using the modified JavaScript code.


Types of Dom-Based XSS:

  1. URL to JS :

    • Untrusted functions(JS) :

      1- eval()

      2- Function()

      3- setTimeout()

      4- setInterval()

  2. URL to JS to HTML :

    • Untrusted functions (JS) :

      1- setAttribute("src",payload)

      2- setAttribute("href",payload)

      3- document.write()

    • Untrusted functions (JQuery) :

      1- attr("src",payload)

      2- attr("href",payload)

      3- html()

      4- append()

      5- after()

      6- replaceWith()

      7- before()

      8- insertAfter()

      9- insertBefore()

      10- wrap()

      11- appendTo()

      12- wrapAll()

      13- wrapInner()

      14- replaceAll()

      15- prop()

      16- prependTo()

      17- prepend()

How it works?

The attacker sends a URL to the victim containing the payload

let's see our JS code:

<!DOCTYPE html>
<a id="a" href>click</a>
function getHashes() {
    aURL = window.location.href;
    var vars = {};
    var hashes = aURL.slice(aURL.indexOf('#') + 1).split('&');
    for(var i = 0; i < hashes.length; i++) {
        var hash = hashes[i].split('=');
            if(hash.length > 1) {
                vars[hash[0]] = hash[1];
                vars[hash[0]] = null;
    return vars;

var hashes = getHashes(), redirect;
if(hashes["url"]) {
    redirect = hashes["url"];


In this scenario the user should input a URL in the href attribute


If the attacker sends a URL containing malicious JS to the victim it'll run on the victim's browser, for example a URL that'll trigger the XSS will look like file:///root/Desktop/dom.html#url=javascript:alert(1);

Note : this page is hosted locally

Ready to be protected?

14 days trial , No credit card upfront , Risk free