Cross Site Scripting (XSS) – DOM-based (Out Of Space)

by Prapattimynk, Tuesday, 25 July 2023 (7 months ago)
Cross Site Scripting (XSS) – DOM-based (Out Of Space)


  • Theft of sensitive information: An attacker can use an XSS attack to steal sensitive information, such as login credentials, credit card numbers, or other personal data that may be entered into the targeted website.
  • Malware distribution: An attacker can inject malicious code into a website through an XSS attack, which can then be used to distribute malware to unsuspecting visitors of the website.
  • Website defacement: An attacker can use an XSS attack to deface a website, replacing its content with their own message or content.
  • Phishing attacks: An attacker can use an XSS attack to create a convincing phishing page that looks like the targeted website, tricking users into entering their login credentials or other sensitive information.
  • Reputation damage: A successful XSS attack can damage the reputation of the targeted website, as users may lose trust in the website’s security and reliability.

Here are some recommendations to help prevent and mitigate the impact of XSS attacks:

The best way to fix DOM based cross-site scripting is to use the right output method (sink). For example if you want to use user input to write in a div tag element don’t use innerHtml, instead use innerText or textContent. This will solve the problem, and it is the right way to re-mediate DOM based XSS vulnerabilities.

Additionally, we currently recommend using https://github.com/cure53/DOMPurify/ as your sanitizer. Essentially, we allow all code as long as it is wrapped in a function call to a known sanitizer like so:

element.innerHTML = DOMPurify.purify(evil);

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.