search

🪓DOM Injections

hashtag
web extension: https://github.com/swoops/eval_villain

hashtag
web extension: https://chromewebstore.google.com/detail/untrusted-types-for-devto/bpeblffgmddnafmnmdjohcmkbeifdlnb

hashtag
---------------------------------------------------------------

hashtag
Here are some example keywords to look out for specific endpoint.js Files

hashtag
For example, imagine you are on "https://www.bugbountyhunter.com/challenge" - you may find "challenge.js"

hashtag
Search specifically only Inspect element: .innerHTML, var = getParameter() parameter pathname document.write(, document.cookie, location.href, redirectUrl, window.hash.

hashtag
Note: Do not waste time browsing things such as jquery.js.

hashtag
Typically these files do not contain anything that will be of use to you. Go for the custom-made specific endpoint.js files.

hashtag
---------------------------------------------------------------

hashtag
Tip: always try to inject after Dom Path:

https://domain.com/Path/#/customer/settings/'"><img src=x onerror=alert(document.domain)>

https://domain.com/Path/#q="><svg/onload=alert(document.cookie)>

https://domain.com/Path.jsp#"><svg/onload=alert(document.cookie)>

hashtag
DOM XSS Injection Endpoint

hashtag
---------------------------------------------------------------

hashtag
DOM Insert Injection

hashtag
Use to test for XSS when injection gets inserted into DOM as valid markup instead of being reflected in source code. It works for cases where script tag and other vectors won’t work.

hashtag
---------------------------------------------------------------

hashtag
Jump to URL Fragment

hashtag
Use when you need to hide some characters from your payload that would trigger a WAF for example. It makes use of the respective payload format after the URL fragment (#).

hashtag
---------------------------------------------------------------

hashtag
DOM-based XSS

hashtag
Based on a DOM XSS sink.

hashtag
---------------------------------------------------------------

hashtag
DOM Insert Injection – Resource Request

hashtag
Use when native javascript code inserts into the page the results of a request to a URL that can be controlled by the attacker.

hashtag
---------------------------------------------------------------

hashtag
Javascript postMessage() DOM Injection (with Iframe)

hashtag
Use when there’s a “message” event listener like in “window.addEventListener(‘message’, ...)” in javascript code without a check for origin. The target must be able to be framed (X-Frame Options header according to context). Save as an HTML file (or using data:text/html) providing TARGET_URL and INJECTION (an XSS vector or payload).

hashtag
---------------------------------------------------------------

hashtag
Javascript Pseudo-Protocol Obfuscation

hashtag
Use to bypass filters looking for javascript:alert(1). Be sure it can work (pass) with “1” before adding alert(1) because this very payload might need some extra obfuscation to bypass the filter completely. The last option only works with DOM manipulation of payload (like in Location-based Payloads or DOM-based XSS). Encode them properly in URLs.

hashtag
---------------------------------------------------------------

hashtag
DOM Insertion via Server-Side Reflection

hashtag
Use when input is reflected into the source and it can't execute by reflecting but by being inserted into DOM. Avoids browser filtering and WAFs.

hashtag
---------------------------------------------------------------

hashtag
DOM-based CSP Bypass

hashtag
Use when your CSP bypass is inserted into DOM. The CSP bypass vector must be in the contents of “srcdoc”.

hashtag
---------------------------------------------------------------

PreviousWAF Bypass PayloadsNextEncoding to Bypass Restriction

Last updated