JESS' SECURITY QUEST
OWASP TOP 10 View Guide

DOM-based XSS - Client-Side Injection

Medium A03:2021 - XSS 200 points
Challenge Description

This page contains DOM-based Cross-Site Scripting (XSS) vulnerabilities. Unlike reflected or stored XSS, the vulnerability exists entirely in client-side JavaScript.

The page has three vulnerable features:

  1. Welcome Message: Uses innerHTML with URL hash parameter
  2. Message Display: Uses innerHTML with query parameter
  3. Calculator: Uses eval() with user input

Learning Objective: Understand how client-side JavaScript can introduce XSS vulnerabilities through dangerous sinks like innerHTML and eval.

Target: The page has a secret token stored in a JavaScript variable. Use DOM XSS to extract it!

Secret Token: [Execute XSS to reveal]
Feature 1: Welcome Message (innerHTML sink)

This feature reads a name parameter and displays a welcome message.

Name:
Enter a name above
Vulnerable Code: 
// VULNERABLE: Using innerHTML with user input
document.getElementById('welcome-area').innerHTML =
    '<h3>Welcome, ' + name + '!</h3>';
Feature 2: Message Display (innerHTML sink)

This feature displays a custom message using innerHTML.

Message:
Enter a message above
Feature 3: Calculator (eval sink)

This calculator uses eval() to process expressions. Extremely dangerous!

Expression:
Enter an expression to calculate
Vulnerable Code: 
// VULNERABLE: Using eval with user input
var result = eval(userInput);
document.getElementById('calc-result').textContent = result;
Submit Flag
Hints -10% per hint
Debug Options
Dangerous DOM Sinks

Common vulnerable JavaScript patterns:

  • element.innerHTML = input
  • element.outerHTML = input
  • document.write(input)
  • eval(input)
  • setTimeout(input, ...)
  • setInterval(input, ...)
  • new Function(input)
  • element.setAttribute('onclick', input)
An error has occurred. This application may no longer respond until reloaded. Reload Dismiss