Dom based XSS question

hi guys and gals! im new to web app testing and i wanted to ask as ive tried googling and havent been able to get a clear idea. I think i found a xss dom based bug, did static analysis and ran few different tools that show possible xss dom based off static analysis, but where the code lays i dont know how id go about verifying it as it seems to be in a drop down menu. anyone experience this??

1 Like

Hi @paxtammy,

it would be helpful if you described the bug you found and the problem you are having.
For what I understand you used a tool which found a probable XSS but you don’t know how to exploit, am I right?

1 Like

Static analysis tools can be really bad at properly identifying DOM-Based XSS and often give false positives. When you’re looking at DOM XSS, there’s usually two peices: Sources and Sinks. Your source will be something like location.hash, and your sink will be something like document.write or eval. Identify those two pieces, and try to manipulate the source and read your browsers developer console and look for the execution of your injected code.

1 Like

Sorry for late response. I used burp suite scanner passively, and it found xss dom as certain thru analyzing the static source. It shows it was based in the drop down menu. I was thinking I could try csrf POST poc, whihc i havent tried. I am sorry, I am very new to bug bounties and xss dom especailly, so I apologize if I didnt frame my question correctly. I just want to know how to confirm by looking at the source to verify dom based XSS. Is there any good resources to do this? I suppose I should learn java script better to truly understand it much better. I am sorry for being vague and asking incorrectly.

Thank you for explaining the context!

I never used Burp for the purpose you describe so I’m not sure if that feature allows you to find in which file the vulnerability is.
DOM XSS it’s usually more hard to find than reflected XSS for example, because it’s built by the browser. The easiest case to understand could be something like:

  1. Browser requests http://example.com/#<script>alert()</script>
  2. The response from the server includes something like <script>document.write(location.hash)</script>
  3. #<script>alert()</script> is written in the document and alert() executed

I really recommend you to learn Javascript and HTML if you want to focus on XSS and/or like it. Codecademy I think
is a good resource to learn but there are other options I think. However you can learn just googling what you don’t understand and making sense of that, but at least a basic course of Javascript could be useful.

Thank you for your feedback! Just starting out, I naturally wanted to use vuln scanners and purely lazy ways of finding bugs, but doing that crap, Ive only been able to find false positives. I was mentioning doing csrf poc because i could target the drop down menu where the supposed bastard dom based xss is, according to burp, however, im not sure if xss could be done that way as i think its possible.

Thanks again for coming to the rescue on my questiins :slight_smile:

I’m glad to help.

I think you are in the right path because you want to understand what you are doing and how to find a vulnerability instead of just throwing spaghetti at the wall.

I hope to see you in the leaderboards sometime soon. :slight_smile: