DOM XSS

Hi,

In this part of Damn Vulnerable Web Application. (DVWA) we will see how the DOM XSS is been executed.

DOM Based XSS simply means a Cross-site scripting vulnerability that appears in the DOM (Document Object Model) instead of part of the HTML. Basically, all HTML documents have an associated DOM, consisting of objects representing the document properties from the point of view of the browser. As with standard XSS prevention, you should validate the data coming in when possible, and always escape the data as your script writes out to the page. In order to do this escaping, you should avoid using some methods that make escaping difficult, and instead use methods that make separation of HTML structure and values or text easy.

How to defend against a DOM-based XSS attack :

• The most effective way to avoid DOM-based cross-site scripting vulnerabilities is not to dynamically write data from any untrusted source into the HTML document. it will be necessary to sanitize or encode the data. This can be a complex task, and depending on the context that the data is to be inserted may need to involve a combination of JavaScript escaping, HTML encoding, and URL encoding, in the appropriate sequence.

• Need to avoid Directly modifying the DOM and Write raw HTML.

• The attack can be prevented by validating that the data about to be inserted into the document contains only alphanumeric characters and whitespace.
  

• Related Articles

• Web security issues you need to be concerned

  1. SQL Injection (SQLi) The SQL injection is the most common web security issue faced by most of the companies. An SQL injection is the injection attack where hackers can input malicious SQL queries to pull sensitive data from the database. These SQL ...

• Cross Site Scripting

  Hi, in this part of Extreme Vulnerable Node Application (XVNA) we will see how the XSS is been executed. As we know we are running on Expressjs and angularjs so there is only few method in angularjs on which XSS could be executed. Let’s see how we ...

• OWAP TOP 10 2017

  Application Security Risk 2017 The OWASP top ten has been changed and following list is the updated. A1:2017 – Injection A2:2017 – Broken Authentication A3:2017 – Sensitive Data Exposure A4:2017 – XML External Entities (XXE) A5:2017 – Broken Access ...

• Common web application attacks and quick steps to prevent them

  Management needs to take care of the security, especially the security of your sensitive customer information’s. It’s so often only the most high profile  or sophisticated attacks that you actually hear about , but the reality is there are n number ...

• Web Application Vulnerability Scanner

  Hello Ladies & Gentleman, Here we came with the new topic `Web Application Vulnerabilities` and how do we scan it using the tool. So without any delay lets get to the topic What is Web Application Vulnerability ? The vulnerability is a weakness which ...