This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP AppSec DC 2012/Unraveling some of the Mysteries around DOMbased XSS

Revision as of 12:32, 25 March 2012 by Mark.bristow (talk | contribs)

Jump to: navigation, search


Registration Now OPEN! | Hotel | Schedule | Convention Center |

The Presentation

DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it's poorly understood.
This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.
This talk will include discussion of numerous open source resources that are available on this topic. OWASP has numerous articles on DOM-based XSS, including a definition article (, an OWASP testing guide article _site_scripting_(OWASP-DV-003)), and the DOM-based XSS prevention cheat sheet eat_Sheet), and there are also other open source articles from leading researchers like Stefano Di Paulo ( as well. The speaker has already contributed to all of these OWASP articles and in preparation for this talk, plans to review and contribute additional enhancements to each of these articles in order to make the author's recommendations publically available to the web security community in a very broad manner far beyond just delivering this talk at AppSec DC. The talk will also showcase and provide worked examples of how to use open source proxy tools like OWASP ZAP ( and WebScarab (, along with Firebug and Chrome's developer tools to track down DOM-based XSS issues within an application. The only open source DOM-based XSS detection tool, DOMinator (, will also be showcased in this talk.

The Speakers

Dave Wichers

Owasp logo normal.jpg

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors


Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png


link= Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg