DOM-Based Attacks

DOM-based attacks exploit vulnerabilities in client-side JavaScript code that processes data from untrusted sources. The Document Object Model is a programming interface that represents the structure of an HTML document as a tree of objects. When JavaScript code takes data from attacker-controllable sources (such as the URL, referrer, or postMessage events) and passes it to dangerous sinks (such as innerHTML, eval, or document.write), it creates a DOM-based vulnerability.

The most well-known variant is DOM-based XSS, but the class extends to other types including DOM-based open redirect (using window.location with tainted input), DOM-based cookie manipulation, DOM-based JavaScript injection, and DOM-based denial of service. Each variant involves a different combination of sources and sinks in the client-side code.

DOM-based vulnerabilities are particularly challenging because the malicious payload may exist only in the URL fragment (after the # symbol) or in other client-side data that is never sent to the server. This means traditional server-side security measures such as WAFs, input validation, and server-side logging cannot detect or prevent these attacks.

Defending against DOM-based attacks requires a combination of secure client-side coding practices: avoiding dangerous sinks like innerHTML and eval, using safe DOM manipulation methods (textContent instead of innerHTML, createElement instead of document.write), sanitising data from untrusted sources before use, implementing Content Security Policy to restrict inline script execution, and using static analysis tools specifically designed to detect DOM-based vulnerability patterns in JavaScript code.