Testing for DOM-based Cross site scripting (OTG-CLIENT-001)
This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.
OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here
There have been very few papers published on this topic and, as such, very little standardization of its meaning and formalized testing exists.
Description of the Issue
One advantage that the exploitation of DOM Based XSS usually entails is the fact that often the server cannot determine what is actually being executed, due to how the data is obtained from the client, as will be seen later. However, this advantage is often moot, since reflected XSS flaws can be transformed into trivial to exploit DOM Based XSS flaws. As such, DOM Based XSS bugs should be treated the same as reflected XSS bugs.
Black and Gray Box testing and example
Blackbox testing for DOM-Based XSS is not usually performed since access to the source code is always available as it needs to be sent to the client to be executed.
Gray Box testing and example
Testing for DOM Based XSS vulnerabilities:
User input comes in two main forms:
- Input written to the page by the server in a way that does not allow direct XSS
var data = "<escaped data from the server>"; var result = someFunction("<escaped data from the server>");
var data = window.location; var result = someFunction(window.referer);