Finding sources and sinks for DOM XSS

DOM XSS (Cross-Site Scripting) vulnerabilities occur when client-side JavaScript code writes user-controlled data to dangerous sinks without proper sanitization. Identifying sources (user input) and sinks (functions that execute code) is critical for finding and mitigating DOM XSS flaws.

You Should Know:

Common Sources of DOM XSS:

1. URL Parameters – Accessed via window.location, document.URL, or document.documentURI.
2. User Input Fields – Data from input, textarea, or `fetch()` responses.

3. Cookies – Retrieved via `document.cookie`.

4. LocalStorage/SessionStorage – Accessed via `localStorage.getItem()`.

Common Dangerous Sinks:

– `eval()`
– `innerHTML`
– `document.write()`
– `setTimeout()` / `setInterval()` with string arguments
– `location.href` / `location.assign()`

Custom Nuclei Template for DOM XSS Detection:

id: dom-xss-check

info: 
name: DOM XSS Source-Sink Detection 
author: LegionHunter 
severity: high

requests: 
- method: GET 
path: 
- "{{BaseURL}}?test=<script>alert(1)</script>" 
matchers: 
- type: word 
words: 
- "<script>alert(1)</script>" 
part: body 

Manual Testing Steps:

1. Identify Input Sources:

console.log(window.location.search); // Check URL parameters 

2. Trace Data Flow:

var userInput = document.getElementById('userInput').value; 
document.getElementById('output').innerHTML = userInput; // Dangerous sink 

3. Sanitize Inputs:

Use DOMPurify:

const clean = DOMPurify.sanitize(userInput); 

Prevention Techniques:

• Use Content Security Policy (CSP) headers:

  Content-Security-Policy: script-src 'self' 
  

• Avoid `eval()` and `innerHTML` for dynamic content.
• Encode output with `textContent` instead of innerHTML.

What Undercode Say:

DOM XSS remains a critical web security issue due to improper handling of dynamic JavaScript execution. Manual code review, automated scanners like Nuclei, and strict CSP policies help mitigate risks. Always validate and sanitize inputs before passing them to sinks.

Expected Output:

A secure web application free from DOM XSS vulnerabilities due to proper source-sink validation and sanitization.

Reference:

• DOM XSS Explained (PortSwigger)
• DOMPurify GitHub

References:

Reported By: Abhirup Konwar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram