Cross-Site Scripting - DOM-based XSS
“DOM-based XSS” essentially implies a cross-site scripting vulnerability that shows up in the DOM (Document Object Model) rather than part of the HTML. In reflective and stored XSS assaults, you can see the vulnerability payload on the response page. However, in DOM-based XSS, the HTML source code and the assault payload can’t be found in the response. It can only be seen on runtime or by investigating the DOM of the page.
Imagine the accompanying page “http://www.example.com/test.html” contains the beneath code:
If you send an HTTP request like this,
sufficiently straightforward, your JavaScript code will get executed because the page is composing whatever you write in the URL to the page with “document.write” function. If you look at the source of the page, you won’t see
because it’s all happening in the DOM and done by the executed JavaScript code.