Client Side Vulnerabilities / Cross Site Scripting (DOM-Based)

Web and APICWE Top 25 (2022)


Cross Site Scripting (DOM-Based) is a type of client side vulnerability that is listed in the CWE Top 25 (2022) and is classified as CWE-79. It is a type of injection attack that allows an attacker to execute malicious JavaScript on a web page or in an API. The attacker can inject malicious code into the client-side of the application to manipulate it, steal data, and gain access to the system. This vulnerability is often caused by a lack of input validation in web applications and APIs. According to the OWASP Testing Guide, Cross Site Scripting (DOM-Based) is one of the most difficult web application vulnerabilities to detect, and can be used to exploit the user's browser.


Cross Site Scripting (DOM-Based) can be a serious risk to an organization as it can lead to the theft of sensitive data, the alteration of the application's functionality, and an attacker gaining control of the system. It is important to note that the attacker does not need to be authenticated in order to exploit this vulnerability. If an attacker is able to successfully exploit this vulnerability, the results could be catastrophic.


The best way to prevent Cross Site Scripting (DOM-Based) attacks is to properly validate all user-supplied input. Any user-supplied input should be escaped before being sent to the browser. Additionally, any user-supplied input that is used in client-side JavaScript should be validated and encoded. This will help to ensure that malicious code cannot be injected into the application.


The following example shows how an attacker can inject malicious code into a web page using the Cross Site Scripting (DOM-Based) vulnerability.

var foo = unescape(document.location.hash.substring(1));

In this example, the attacker can inject malicious code into the web page by adding it to the URL hash. When the page is loaded, the malicious code will be executed by the page's JavaScript.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.