The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Both reflected and stored XSS vulnerabilities involve a specific pattern of

behavior, in which the application takes user-controllable data and displays

this back to users in an unsafe way. A third category of XSS vulnerabilities does

not share this characteristic. Here, the process by which the attacker’s

JavaScript gets executed is as follows:

■■

A user requests a crafted URL supplied by the attacker and containing

■■

The server’s response does not contain the attacker’s script in any form.

When the user’s browser processes this response, the script is executed

nonetheless.

How can this series of events occur? The answer is that client-side JavaScript

can access the browser’s document object model (DOM), and so can determine

the URL used to load the current page. A script issued by the application may

extract data from the URL, perform some processing on this data, and then use

it to dynamically update the contents of the page. When an application does

this, it may be vulnerable to DOM-based XSS.

Recall the original example of a reflected XSS flaw, in which the server-side

application copies data from a URL parameter into an error message. A differ-

ent way of implementing the same functionality would be for the application

to return the same piece of static HTML on every occasion and to use client-

side JavaScript to dynamically generate the message’s contents.