In a DOM-based XSS attack, a malicious payload is not actually parsed by the victim's browser until the website's legitimate JavaScript is executed. An attacker's payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. The JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code. Execution occurs when the website JavaScript code acts on input or user interaction.

test" onmouseover="alert('Hover over the image and inspect the image element')"
test" onmouseover="alert(document.cookie)"
test" onmouseover=" = 'red';"
#"><img src=/ onerror=alert(2)>
<iframe src="javascript:alert('xss')">

Last updated