The website or application is vulnerable to DOM-based cross-site-scripting (XSS). Cross-site
scripting allows a malicious attacker to trick your web application into emitting the
your web application when it runs in the browser of an unsuspecting user.
Whereas traditional XSS takes advantage of vulnerable back-end CGI
scripts to directly emit the code into served pages, DOM-based XSS takes advantage
example, a the following vulnerable script can be used to launch an XSS
var loc = document.location + '?gotoHomepage=1';
document.write('<a href="' + loc + '">Home</a>');
of an attacker, but it is being written directly into the document content without escaping.
An attacker could construct a URL containing <script> tags in it and trick an unsuspecting
user into visiting the vulnerable website. A URL such as
can be constructed that would cause the script above to write the attacker's malicious script tags
directly into the user's document, where they will be executed.
An exploit script can be made to:
- access other sites inside another client's private intranet.
- steal another client's cookie(s).
- modify another client's cookie(s).
- steal another client's submitted form data.
- modify another client's submitted form data (before it reaches the server).
- submit a form to your application on the user's behalf which modifies passwords or other application data
The two most common methods of attack are:
- Clicking on a URL link sent in an e-mail
- Clicking on a URL link while visiting a website
In both scenarios, the URL will generally link to the trusted site, but
will contain additional data that is used to trigger the XSS attack.
Note that SSL connectivity does not protect against this issue.