https://github.com/qeeqbox/dom-based-cross-site-scripting

A threat actor may inject malicious content into webapp. The payload is not reflected in the HTTP request and response, then executed in the victim's browser
https://github.com/qeeqbox/dom-based-cross-site-scripting

cross dom example infosecsimplified metadata qeeqbox scripting site vulnerability xss xss-vulnerability

Last synced: 3 months ago
JSON representation

A threat actor may inject malicious content into webapp. The payload is not reflected in the HTTP request and response, then executed in the victim's browser

• Host: GitHub
• URL: https://github.com/qeeqbox/dom-based-cross-site-scripting
• Owner: qeeqbox
• License: agpl-3.0
• Created: 2022-04-28T18:44:36.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2025-07-26T21:10:20.000Z (10 months ago)
• Last Synced: 2025-07-27T01:11:51.562Z (10 months ago)
• Topics: cross, dom, example, infosecsimplified, metadata, qeeqbox, scripting, site, vulnerability, xss, xss-vulnerability
• Homepage:
• Size: 1.7 MB
• Stars: 3
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
 


An application enables users to control the Document Object Model (DOM) environment. A threat actor can exploit this feature by injecting a malicious payload into a trusted web application. When users interact with this malicious payload, their browsers execute it. This vulnerability is not reflected in the HTTP request or response and occurs on the client side.

Clone this current repo recursively

```sh

git clone --recurse-submodules https://github.com/qeeqbox/dom-based-cross-site-scripting

```

Run the webapp using Python

```sh

python3 dom-based-cross-site-scripting/vulnerable-web-app/webapp.py

```

Open the webapp in your browser 127.0.0.1:5142

 

Right-click on the page and click on View Page source, the page source will show the static content, one of the contents is JavaScript that handles the fragment identifier (# symbol) in the URL, which is meant to move users into specific sections of the page

 

If you type the URL + #test, it will take you to the test section, it does not exist but the test keyword gets embedded in the page

 

A threat actor could embed a malicious payload and send it to a victim using social engineering attacks. If the victim falls for it, their browser will execute a malicious payload

 


## Code

This logic will check the current URL for fragment identifiers. If # is part of the URL, it will pass it to the flash_message() function

```js

jQuery(document).ready(function($) {

  if (window.location.hash) {

    let hash_value = window.location.hash.substring(1);

      flash_message(`Moving to ${decodeURIComponent(hash_value)} section`)

  }

});

```

The flash_message() function embeds the user-controlled input directly into a div box without sanitizing it

```py

function flash_message(msg) {

  $("#error-dialog-box").html(msg)

  $("#error-dialog-box").dialog("open");

}

```