DOM-based XSS is a type of cross-site scripting vulnerability that has become really prevalent since the introduction of modern and dynamic web applications, such as HTML5 and Single Page Applications. In these type of applications the developers shifted most of the web application logic to the client-side, so a lot of executions are done on the client’s web browser rather than on the web server.
This shift maybe makes web servers a bit more secure, because less functionality is exposed through them, but has opened new security holes DOM XSS, a modern type of browser vulnerability. Cross-site Scripting (XSS) vulnerability variants have become so commonly exploited that they are listed in the OWASP Top 10 list of most critical web security flaws.
DOM-based XSS are more difficult to detect than the traditional reflective XSS vulnerabilities, hence why it is important to use an automated DOM-based XSS scanner such as Netsparker to identify these type of vulnerabilities.
A client-side script can send events like keypresses or mouse clicks and the web browser can execute them and for example change the web page's appearance, without sending data back to a web server in an HTTP request and getting a new page in a response.
DOM-based cross-site scripting is not a server side vulnerabilities because it is a vulnerability in the code being executed on the victim’s web browser, also known as client-side code. Therefore server side mitigations will not work. To protect your users and your business’ reputation from the damage of DOM-based XSS, you need to scan your web applications with a DOM XSS scanner.
Netsparker can detect DOM-based XSS vulnerabilities no matter what technologies your web application is built with. Even more, its exclusive Proof-Based Scanning™ technology means every finding is a real threat, and not a false positive. This means that vulnerabilities are automatically exploited in a safe and read only manner, and a proof of exploit is shown in the scan results. These proof of exploits highlight the payload used in the HTTP request to exploit the DOM XSS vulnerability, and also the impact the exploited vulnerability had on the web application.
This means that security teams and developers can address remediation without losing hours or days manually validating false positives. It also means developers can identify the vulnerability more quickly in the source code, and move on to writing a patch.
Netsparker Web Application Security Scanner can help you protect your company's web applications from DOM-based XSS, as well as the full spectrum of website vulnerabilities. Contact us today to begin your 15-day free trial, and see how easy it is to strengthen your web security.