00 — Overview

DOM-Based XSS

The server never sees this one. DOM XSS lives entirely in client-side JavaScript — the hardest type to detect and the easiest to miss in code review.

Intermediate·45 min·9 tasks

// By the end of this module

→Understand the difference between server-side and DOM-based XSS

→Identify dangerous DOM sinks: innerHTML, document.write, eval

→Trace tainted data from sources (location.hash, postMessage) to sinks

→Exploit DOM XSS without any server-side reflection

// Prerequisites

Injection · Beginner

60 min