Digging Deep Into Dom XSS

5 min readApr 11, 2021


Okay let’s tackle this beast, as i am writing this, i’m trying to prepare you for what’s coming because this will not be easy at all. Burp suite pro makes it somewhat easier but even then, you still need to be able to interpret the scan results and exploit the vulnerability. This is where many hackers will fail. It’s as simple as that, this is not something you do for fun, this is serious business.

This vulnerability often goes unnoticed as it’s hard to detect so that means it’s quite common in production environments.

If the labs do not exist yet, the DOM XSS labs will follow soon but we need to plow through a wall of text first.

Photo by Markus Spiske on Unsplash

What is DOM XSS

To tackle this question we first need to answer what the DOM is. I will not go too deeply into this topic as it can be very complex and goes back to how webpages are built. You are technically not even viewing the DOM if you looking at the source code of a webpage as the DOM goes back one step and describes how a webpage is built up to javascript so that JS can then convert that DOM into objects and manipulate it. To inspect the DOM properly this means that we MUST USE THE DEVELOPER CONSOLE AND NOT INSPECT SOURCE.

DOM XSS vulnerabilities usually arise when we can control input that is being passed into the DOM via a so called “DOM Sources” that then get passed into “DOM Sink” that supports dynamic code execution. Some examples can be eval() , document.write(), …

Just like the source-based XSS we are well known with, DOM XSS also knows reflected and stored variants which obey the same rules as source-based XSS. If a variable is being reflected from a GET or a POST parameter into one of these sinks we are talking about reflected DOM XSS. If the variable comes from a value stored in the DB, we are talking about stored DOM XSS.

DOM Sink

When we talk about DOM sinks, we talk about locations where user controlled data will enter the DOM. There are 3 types of DOM sinks and we will go over all of them.

Document sink


In this example we are speaking to the innerHTML of an element in the DOM. This is a…


No b*llshit Hacking tutorials with extreme value in short bursts