DOM-Based Cross Site Scripting

Check List

Methodology

Black Box

DOM in URL Parameter

1

Check the search bar or URL parameter query in the blog page to see if user input is reflected in the HTML output

2

Make a simple search with normal keywords like HI and verify the query appears in the page source or response

3

Then inject a basic HTML tag like #"> into the query parameter and check if it renders as broken image

4

If the greater-than > is HTML-encoded and event handlers are removed, WAF is filtering XSS

5

Then try a script tag directly in the URL query like #alert(document.domain) to bypass the WAF

6

If the alert fires on document.domain, reflected XSS is confirmed

7

Test the query parameter on other Microsoft blog endpoints like /msrc/blog, /security,/vulnerability, or /research as these often have search functionality with similar reflection

8

Common vulnerable paths include /msrc/blog/search, /security/blog, /vulnerability/research, or /msrc/search

---

DOM in Search Bar

1

Load the target forum or community site and locate the search bar, typically in the top right corner or header

2

Open the site and click the search button

3

Enter a payload like @prompt(1337)gmail.com into the search bar and submit the query

4

Type the payload in the search input and hit enter

5

Check if a new window or page opens with advanced search; if the payload is reflected unsanitized in the input field or results, it may trigger XSS

6

Observe the advanced search page for script execution (alert(1337))

7

Copy the generated URL containing the reflected payload and test it in a new tab or send to a victim to verify persistence or delivery

https://example.org/search?q=@<script>prompt(1337)</script>gmail.com

---

SPA Sites

1

Find any JavaScript-heavy site or SPA with client-side rendering

2

Check the page source or dev tools to locate JS code using innerHTML, document.write, insertAdjacentHTML, or outerHTML

3

Make a normal interaction (search, profile, settings) and use Elements tab to see if user input (URL param, form, localStorage) flows into these DOM sinks

4

Then inject a test payload like into the input source (URL, field, hash)

5

Example URL

https://target.com/search?q=<img src=x onerror=alert(1)>

6

Example Hash

#<svg onload=alert(1)>

7

If the payload appears in DOM and alert fires without server response change, DOM XSS is confirmed

---

White Box

Cheat Sheet