{"id":20493898,"url":"https://github.com/qeeqbox/dom-based-cross-site-scripting","last_synced_at":"2026-03-10T00:34:10.143Z","repository":{"id":104218985,"uuid":"486711083","full_name":"qeeqbox/dom-based-cross-site-scripting","owner":"qeeqbox","description":" A threat actor may inject malicious content into webapp. The payload is not reflected in the HTTP request and response, then executed in the victim's browser","archived":false,"fork":false,"pushed_at":"2025-07-26T21:10:20.000Z","size":1779,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-27T01:11:51.562Z","etag":null,"topics":["cross","dom","example","infosecsimplified","metadata","qeeqbox","scripting","site","vulnerability","xss","xss-vulnerability"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/qeeqbox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["qeeqbox"]}},"created_at":"2022-04-28T18:44:36.000Z","updated_at":"2025-07-26T21:10:24.000Z","dependencies_parsed_at":"2024-01-29T02:30:57.412Z","dependency_job_id":"4e0ac76a-d51e-418d-90b5-a699324fd183","html_url":"https://github.com/qeeqbox/dom-based-cross-site-scripting","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/qeeqbox/dom-based-cross-site-scripting","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Fdom-based-cross-site-scripting","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Fdom-based-cross-site-scripting/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Fdom-based-cross-site-scripting/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Fdom-based-cross-site-scripting/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/qeeqbox","download_url":"https://codeload.github.com/qeeqbox/dom-based-cross-site-scripting/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/qeeqbox%2Fdom-based-cross-site-scripting/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30318513,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T20:05:46.299Z","status":"ssl_error","status_checked_at":"2026-03-09T19:57:04.425Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cross","dom","example","infosecsimplified","metadata","qeeqbox","scripting","site","vulnerability","xss","xss-vulnerability"],"created_at":"2024-11-15T17:37:20.821Z","updated_at":"2026-03-10T00:34:10.128Z","avatar_url":"https://github.com/qeeqbox.png","language":null,"funding_links":["https://github.com/sponsors/qeeqbox"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/dom-based-cross-site-scripting/main/content/dom-based-cross-site-scripting.svg\"\u003e\u003c/p\u003e\n\nAn application enables users to control the Document Object Model (DOM) environment. A threat actor can exploit this feature by injecting a malicious payload into a trusted web application. When users interact with this malicious payload, their browsers execute it. This vulnerability is not reflected in the HTTP request or response and occurs on the client side.\n\nClone this current repo recursively\n```sh\ngit clone --recurse-submodules https://github.com/qeeqbox/dom-based-cross-site-scripting\n```\nRun the webapp using Python\n```sh\npython3 dom-based-cross-site-scripting/vulnerable-web-app/webapp.py\n```\nOpen the webapp in your browser 127.0.0.1:5142\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/dom-based-cross-site-scripting/main/content/1.png\"\u003e\u003c/p\u003e\nRight-click on the page and click on View Page source, the page source will show the static content, one of the contents is JavaScript that handles the fragment identifier (# symbol) in the URL, which is meant to move users into specific sections of the page\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/dom-based-cross-site-scripting/main/content/2.png\"\u003e\u003c/p\u003e\nIf you type the URL + #test, it will take you to the test section, it does not exist but the test keyword gets embedded in the page\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/dom-based-cross-site-scripting/main/content/3.png\"\u003e\u003c/p\u003e\nA threat actor could embed a malicious payload and send it to a victim using social engineering attacks. If the victim falls for it, their browser will execute a malicious payload\n\u003cp align=\"center\"\u003e \u003cimg src=\"https://raw.githubusercontent.com/qeeqbox/dom-based-cross-site-scripting/main/content/4.png\"\u003e\u003c/p\u003e\n\n## Code\nThis logic will check the current URL for fragment identifiers. If # is part of the URL, it will pass it to the flash_message() function\n```js\njQuery(document).ready(function($) {\n  if (window.location.hash) {\n    let hash_value = window.location.hash.substring(1);\n      flash_message(`Moving to ${decodeURIComponent(hash_value)} section`)\n  }\n});\n```\nThe flash_message() function embeds the user-controlled input directly into a div box without sanitizing it\n```py\nfunction flash_message(msg) {\n  $(\"#error-dialog-box\").html(msg)\n  $(\"#error-dialog-box\").dialog(\"open\");\n}\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqeeqbox%2Fdom-based-cross-site-scripting","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqeeqbox%2Fdom-based-cross-site-scripting","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqeeqbox%2Fdom-based-cross-site-scripting/lists"}