📖
NOTES
  • Welcome!
  • Reference
    • Hacking
      • Penetration Testing Resources Bookmarks
        • Research Links
        • Cheat Sheet
        • Learning/Training
        • Tools
        • Payloads
        • Shell
        • AI
        • Reads
        • Podcast
        • Social Engineering
        • Payloads
      • Web/App Pentesting
        • SQL Injection
          • SQL Injection In The URL
          • SQL Injection In The Search Field
          • SQL Injection in Login forms
          • Boolean SQL Injection Blind
          • Time based SQL Injection Blind
          • Bypassing SQL Filters
          • SQL Injection with sqlmap
          • XPath Injection - Authentication Bypass
            • XPath Advanced Data Exfiltration
          • Payloads
        • XSS
          • Payloads
          • XSS Reflected
          • XSS Stored
          • Dom-based
          • Blind
        • Command Injection
          • Payloads
        • File Upload
          • Payloads
          • Bypass Filters
          • File Upload Tricks
        • SSRF
          • Payloads
        • LFI/RFI
          • Payloads
        • LDAP Injection
      • Port Swigger
        • Access control
          • Lab: Unprotected admin functionality
          • Unprotected admin functionality with unpredictable URL
          • User role controlled by request parameter
          • User ID controlled by request parameter, with unpredictable user IDs
          • User ID controlled by request parameter with password disclosure
        • Authentication
          • Username enumeration via different responses
        • Server-side request forgery (SSRF)
          • Basic SSRF against the local server
          • Basic SSRF against another back-end system
        • File Upload Vulnerabilities
          • Remote code execution via web shell upload
        • SQL Injection
          • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Burp
        • Setting up Macro for intruder
      • ☁️Cloud
        • Tools
        • AWS
          • 🪣S3 Buckets
          • Amazon IAM
          • Dockers
            • Tools
        • Azure
        • GCP
      • Networking
        • Cheat Sheet
      • Hardware Hacking
        • Computer BIOS
    • HTML/CSS/JAVA
      • Tools
      • HTTP Response Status Codes
      • Bootstrap Templates
      • SSL
      • cURL
      • Grep
    • DataBase
      • My SQL
        • Cheat Sheet
        • Tools
    • PYTHON3
      • Code Resources
      • Python Reference Guide
        • Cheat Sheet
      • Code Projects
        • Jiggler Mouse
        • loan calculator
        • Bilnd LDAP Data Exfiltration
    • SEO
      • Tools
      • On-Page SEO
      • Local SEO and Keyword Research
      • Content Optimization
      • Technical SEO
      • Off-Page SEO Tools
      • Google Ads
    • Cloud
      • AWS
        • Light Sail
          • Hosting Website on Light Sail and Namecheap
        • Boto3
      • Azure
      • GCP
    • Files
      • PDF
Powered by GitBook
On this page
  1. Reference
  2. Hacking
  3. Web/App Pentesting
  4. XSS

Dom-based

In a DOM-based XSS attack, a malicious payload is not actually parsed by the victim's browser until the website's legitimate JavaScript is executed. An attacker's payload will only be executed when the vulnerable Javascript code is either loaded or interacted with. The JavaScript execution happens directly in the browser without any new pages being loaded or data submitted to backend code. Execution occurs when the website JavaScript code acts on input or user interaction.

test" onmouseover="alert('Hover over the image and inspect the image element')"
test" onmouseover="alert(document.cookie)"
test" onmouseover="document.body.style.backgroundColor = 'red';"
#"><img src=/ onerror=alert(2)>
<iframe src="javascript:alert('xss')">
PreviousXSS StoredNextBlind

Last updated 1 year ago