Rectangle 27 0

javascript Is this vulnerable to dom based xss?

window.alert("<script>var u_r_so_hacked = true;</script>");
  • Pass the result string to the window.alert(). The "alert()" function always treats its argument strictly as a string. The only "special" character is newline, and all that does is cause text to wrap to a new line.
  • Perform a JavaScript string concatenation operation. At that point, it absolutely does not matter what the string of characters is.
  • Via the DOM API, copy a reference to a property of a DOM node (the "value" property of the <input> element) to a JavaScript variable.

Well "document.cookie" is a string. By "treats its argument as a string" I mean that it treats the value of the argument as a string. It's just JavaScript; calling alert with a string constant is no different than calling alert with a variable that refers to a string. And, I repeat, your users can already get all the cookies in their browsers. All of them, without exception. You cannot hide cookie values from your users.

alert("Error in " + document.cookie) is not a string. But alert("You got it " + "document.cookie") is a string. Op had the first one. But indeed a user can already grab all cookies in their browsers. I believe that the good thing here is that there is no way for this code / text to return to the malicious user, thus it's safe.

are you sure about this quote? "The "alert()" function always treats its argument strictly as a string". It does not - if you just put alert(document.cookie); then the resulting alertbox will have the contents of the cookie for the page (not the string document.cookie). In other words document.cookie is evaluated before being given to alert() for display. This is what I'm trying to understand if it can happen or not with my snippet

will show the "" tags just like that, angle brackets and all.

Rectangle 27 0

javascript Is this vulnerable to dom based xss?

  • The malicious script could overwrite the value of document.myform.field with an object containing a value property. The alert could be thus made to display a message that looked like a different error message, such as:

Error in authentication. Please go to and enter your user name and password.

I'd say that if your auditor is concerned with "DOM-based XSS" where-in a user might cause harm to your servers by manipulating the DOM, your auditor does not know much about DOM and browser-based JavaScript. A user can crack open a JavaScript console and execute all manner of scripts, including XMLHttpRequests to your server that can be made to look like they came from your own script. Precautions need to be made on the server for those types of attacks. Worrying about the security risks to the DOM or UI from user input in form fields is silly.

If you are linking to no such untrustworthy scripts, then no, this is not vulnerable to DOM-based XSS. form.field.value contains a string. It is not evaluated as script, escape characters have no effect, the string contained in the textbox will be displayed in the alert window. Nothing a user enters in that field could be used to harm your servers or corrupt your data based on the code you've posted.

If you are linking to scripts from untrustworthy sources, you have much greater security concerns than the above.

The only way this could be a potential threat is if you are including scripts that are not under your control from an untrustworthy source.

thanks for the answer! (no the auditor is not worried about harm to servers, he just pointed out that this may be unsafe for the users or something like that). Anyway, I guess it's non-issue!