This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based

Revision as of 08:06, 21 July 2013 by James Landis (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

Cross-Site Scripting (XSS) - DOM-Based

Root Cause Summary

Client-side code (e.g. JavaScript) inserts attacker-controlled data into the DOM in a way that allows the data to be executed as functional code. Examples include using document.write, which can introduce SCRIPT nodes directly, and modifying innerHTML or other element attributes that can cause SCRIPT nodes to be generated or function definitions to be overwritten. DOM-Based XSS differs from other forms of cross-site scripting which are the result of vulnerable server-side code.

Browser / Standards Solution


Perimeter Solution


Generic Framework Solution

"Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes. Dynamic data must be written to the DOM by using createTextNode, which does not introduce the danger of interpreting user data as functional code.

Custom Framework Solution


Custom Code Solution


Discussion / Controversy

DOM-Based Cross-Site Scripting is Sometimes referred to as “Type-0 XSS”.



DOM-based XSS

WASC - DOM Based Cross Site Scripting or XSS of the Third Kind

DOM based Cross-site Scripting vulnerabilities