This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based"
David Fern (talk | contribs) (Created page with "=== Cross-Site Scripting (XSS) - DOM-Based === == Root Cause Summary == The root cause of DOM based XSS is allowing the DOM on the victim’s browser (client-side scripts s...") |
David Fern (talk | contribs) |
||
Line 1: | Line 1: | ||
+ | [[OWASP_Periodic_Table_of_Vulnerabilities#Periodic_Table_of_Vulnerabilities|Return to Periodic Table Working View]] | ||
+ | |||
=== Cross-Site Scripting (XSS) - DOM-Based === | === Cross-Site Scripting (XSS) - DOM-Based === | ||
Line 27: | Line 29: | ||
== Discussion / Controversy == | == Discussion / Controversy == | ||
− | Sometimes referred to as | + | DOM-Based Cross-Site Scripting 9XSS) is Sometimes referred to as “Type-0 XSS”. |
== References == | == References == |
Revision as of 03:49, 21 July 2013
Return to Periodic Table Working View
Cross-Site Scripting (XSS) - DOM-Based
Root Cause Summary
The root cause of DOM based XSS is allowing the DOM on the victim’s browser (client-side scripts such as JavaScript) to be manipulated or modified enabling an attacker to run JavaScript in the victim's browser. This differs from traditional cross-site scripting which occurs on the server-side code.
Browser / Standards Solution
None
Perimeter Solution
None
Generic Framework Solution
"Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes.
Custom Framework Solution
None
Custom Code Solution
None
Discussion / Controversy
DOM-Based Cross-Site Scripting 9XSS) is Sometimes referred to as “Type-0 XSS”.
References
WASC - DOM Based Cross Site Scripting or XSS of the Third Kind