Skip to content
← Docs

DOM XSS

DOM XSS

DOM XSS vulnerabilities exist when JavaScript reads attacker-controllable data and passes it to a dangerous sink.

Common sources

  • location.hash
  • location.search
  • document.referrer
  • postMessage data

Common sinks

  • innerHTML
  • document.write
  • eval

Use the xsspayloads playground to test payloads in isolated contexts.