DOM Vulnerabilities
Last updated: March 5th, 2023DOM Review
DOM stands for Document Object Model. It is a way to represent HTML and XML documents in a tree structure. In a DOM model, every element is assigned to a node. For example, the document is the document node, html elements and attributes are element and attribute nodes respectively, etc. This allows a website to use JavaScript to reference and manipulate the nodes to dynamically generate content. DOM Vulnerabilities arise from JavaScript that takes an attacker-controlled value, known as a source which it then passes to a function, known as a sink.
Sources
Sources are where the vulnerabilities originate but in order for the source to be exploitable, the data must be passed to a sink. Below are some common sources that are used with sinks:
- document.URL
- document.documentURI
- document.baseURI
- document.URLUnencoded
- location
- document.referrer
- document.cookie
- window.name
- history.pushState
- history.replaceState
- localStorage
- sessionStorage
- indexedDB
Sinks
Sinks are the vulnerable functions that take the source as an argument. Below are some common sinks:
- document.write()
- window.location
- document.cookie
- eval()
- document.domai:n
- WebSocket()
- element.srcpostMessage()
- setRequestHeader()
- FileReader.readAsText()
- ExecuteSql()
- sessionStorage.setItem()
- document.evaluate()
- JSON.parse()
- element.setAttribute()
- RegExp()