Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based"

From OWASP
Jump to: navigation, search
(Created page with "=== Cross-Site Scripting (XSS) - DOM-Based === == Root Cause Summary == The root cause of DOM based XSS is allowing the DOM on the victim’s browser (client-side scripts s...")
 
Line 1: Line 1:
 +
[[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]]
 +
 
=== Cross-Site Scripting (XSS) - DOM-Based ===
 
=== Cross-Site Scripting (XSS) - DOM-Based ===
  
Line 27: Line 29:
 
== Discussion / Controversy ==  
 
== Discussion / Controversy ==  
  
Sometimes referred to as “type-0 XSS”
+
DOM-Based Cross-Site Scripting 9XSS) is Sometimes referred to as “Type-0 XSS”.
  
 
== References ==  
 
== References ==  

Revision as of 22:49, 20 July 2013

Return to Periodic Table Working View

Contents

Cross-Site Scripting (XSS) - DOM-Based

Root Cause Summary

The root cause of DOM based XSS is allowing the DOM on the victim’s browser (client-side scripts such as JavaScript) to be manipulated or modified enabling an attacker to run JavaScript in the victim's browser. This differs from traditional cross-site scripting which occurs on the server-side code.

Browser / Standards Solution

None

Perimeter Solution

None

Generic Framework Solution

"Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes.

Custom Framework Solution

None

Custom Code Solution

None

Discussion / Controversy

DOM-Based Cross-Site Scripting 9XSS) is Sometimes referred to as “Type-0 XSS”.

References

OWASP - DOM Based XSS

DOM-based XSS

WASC - DOM Based Cross Site Scripting or XSS of the Third Kind

DOM based Cross-site Scripting vulnerabilities