Methodology
A repeatable process for finding DOM XSS vulnerabilities. Follow these steps and iterate.
Methodology Checklist
- Get familiar with the application understand if this is a good target for client-side and learn the flows and functionality.
- Identify sources and sinks by searching through code and using the application.
- Set breakpoints in dev tools on a source or sink you want to analyze. Use the Sources panel to locate the code and click the line number.
- Use the debugger to follow the trace. Step through execution from source to sink. Watch how data transforms along the way.
- Make note of any data transformation or conditions that affect the code path. Look for encoding, filtering, sanitization, or conditional branches that might block or alter your payload.
- If a reachable path is identified, craft your payload. Build a payload that allows you to take the necessarily code path. Don't guess or spray wordlists, understand the context and preconditions for your XSS to fire.
- Rinse and repeat. Move to the next source/sink pair. Most of the time you will be chasing dead-ends, but persistence is key.
Quick Reference: What To Search For
Sources to Find
location.hashlocation.searchlocation.hreflocation.pathnameURLSearchParamsaddEventListener("message"onmessage
Sinks to Find
innerHTMLouterHTMLdocument.writeimport(eval(Function(setTimeout(setInterval(location.href =window.open(.src =.href =
Resources / Further Learning / Communities
- MDN Documentation - The bible for all things related to web APIs, JS, and browser behavior
- JavaScript for Hackers - Fantastic book that teaches you quirks and techniques for hacking with JS.
- Bug Bounty Daily - High-Quality Bug Bounty Writeups
- Critical Thinking Bug Bounty Podcast - Weekly podcast on bug bounty hunting with highly practical, technical content
- DC858 - Monthly meetings in Rancho Bernardo
- San Diego Underground - Monthly meetings at University of San Diego