DOM-based XSS (Client-side JavaScript Code Review)

R3zk0n ยท October 2, 2025

API   Security   Web
Contents

    Enumerate JS/NPM packages - refer to OSWE openCOCKPIT

    DOM XSS

    • document.write: grep -r "document.write" ./ --include *.html

    In order to understand DOM-based XSS, we must first familiarize ourselves with the Document Object Model (DOM). When a browser interprets an HTML page, it must render the individual HTML elements. The rendering creates objects of each element for display. HTML elements like div can contain other HTML elements like h1. When parsed by a browser, the div object is created and contains a h1 object as the child node. Browsers generate a DOM from HTML so they can enable programmatic manipulation of a page via JavaScript.

    For this manipulation to occur, JavaScript implements the Document interface. To query for an object on the DOM, the document interface implements APIs like getElementById, getElementsByClassName, and getElementsByTagName.

    • Searching for DOM-based XSS:
      • grep -r "document.write" ./ --include *.html
      • urlParams โ€“> Points to user-controllable input
      • grep -r "buildPath[[:space:]]*=" ./
      • location.search โ€“> Accepts input from querystrings
      • Use HTTPS Server + JavaScript file for POC
      • https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting#inside-javascript-code
      • https://github.com/qwutony/notes/blob/main/OSWE/11.%20openITCOCKPIT/index.md

    Stealing authenticated information without session cookies

    The application will consist of 3 main components: the XSS payload script, a SQLite database to store collected content, and a Flask API server to receive content collected by the XSS payload.

    • Sources: https://firefox-source-docs.mozilla.org/devtools-user/index.html
    • Using the document interface, we can query for HTML elements via the getElementByID and getElementsByTagName methods. We can change the content of an HTML element with the innerHTML property. We can also create new elements with createElement method.
    • Access items in array: document.getElementsByTagName("body")[0] or document.getElementsbyTagName("html")[0] and print the innerHTML
    • Minify the HTML and remove any escapes - also use single quotes
    • Change the form of the fake login page to prevent the form from loading a new page. ```
    ``` ## Creating Proof of Concept + Database Server (python script + sqlite) + API Server + Front Page using XSS ## Web Scrapper + Load the home page. Create an iframe instead of XHR to load page and any JavaScript. + Search for all unique links and save their hrefs. + Fetch the content of each link. + Send the content obtained from each link to our API server using async fetch and promises. + Finish Extra Mile tasks ## Authenticated RCE + Refer to websocket RCE

    Twitter, Facebook