If an application receives data via some out-of-band channel and

■■

Attacks against DOM-based XSS may not involve submitting any

Some applications employ a more sophisticated client-side script that per-

forms stricter parsing of the query string — for example, it may search the

URL for the parameter name followed by the 

=

sign, but then extract what fol-

&

or 

. In this case, the

two attacks described previously could be modified as follows:

https://wahh-app.com/error.php?foomessage=&message=Sorry%2c+an+error+occurred

https://wahh-app.com/error.php#message=

In both cases, the first match for 

message=

is followed immediately by the

attack string, without any intervening delimiter, and so the payload is

processed and copied into the HTML page source.

In some cases, you may find that very complex processing is performed on

DOM-based data, and it is difficult to trace all of the different paths taken by

user-controllable data, and all of the manipulation being performed, solely

through static review of the JavaScript source code. In this situation, it can be

very beneficial to use a JavaScript debugger to monitor the script’s execution

dynamically. The FireBug extension to the Firefox browser is a full-fledged

debugger for client-side code and content, which enables you to set break-

points and watches on interesting code and data, making the task of under-

standing a complex script considerably easier.