javascript.browser.security.dom-based-xss.dom-based-xss
semgrepAuthor
4,986
Download Count*
License
Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=<script>alert(document.cookie)</script> which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.
Run Locally
Run in CI
Defintion
rules:
- id: dom-based-xss
message: "Detected possible DOM-based XSS. This occurs because a portion of the
URL is being used to construct an element added directly to the page. For
example, a malicious actor could send someone a link like this:
http://www.some.site/page.html?default=<script>alert(document.cookie)</sc\
ript> which would add the script to the page. Consider allowlisting
appropriate values or using an approach which does not involve the URL."
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://owasp.org/www-community/attacks/DOM_Based_XSS
category: security
technology:
- browser
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cross-Site-Scripting (XSS)
languages:
- javascript
- typescript
severity: ERROR
pattern-either:
- pattern: document.write(<... document.location.$W ...>)
- pattern: document.write(<... location.$W ...>)
Examples
dom-based-xss.js
// ruleid:dom-based-xss
document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>");
// ok:dom-based-xss
document.write("<OPTION value=2>English</OPTION>");
Short Link: https://sg.run/EkeL