[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Serg serg at owasp.org
Tue Oct 22 11:05:18 UTC 2013

Hi All

I've recently had a look at the OWASP DOM based XSS definition, which
looked a little off.

The TL;DR version: the DOM based XSS definition according to OWASP (
https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or the
pessimistic view - 50% wrong) and misleading.

I am basing this on the 'Definition' examples (
https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced
Techniques and Derivatives' section.

The first part of this document is incorrect.

In layman's terms, the Reflected XSS, request/JS is first sent to the
server, it is then reflected, as is, in the response, hence the name.



Since the query string gets sent to the server and reflected back, this is
a Reflected XSS, not DOM-based.

The 'xss_attack_here' part is irrelevant here. As long as it is sent to the
server and reflected back, it's a Reflected XSS vulnerability. Whether it
runs in DOM or not is irrelevant, technically everything runs in DOM...

My understanding of DOM based XSS, is: it is processed entirely in the web
browser, the request with XSS payload is not sent to the server.

As far as I know, the only way to achieve that is to use fragment
identifiers, the part of the URL after the '#' (including '#') is not sent
to the server as part of the request.

Based on that, I am fairly certain that the current OWASP definition (
https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131022/278941f2/attachment.html>

More information about the OWASP-Leaders mailing list