DOM-based XSS Scanner

There’s no denying the role that JavaScript has played in making web applications the sleek, interactive, online experiences that we know and love today. This powerful scripting language brought interactivity and animation to the web. But with great power comes great responsibility. Cross-site Scripting (XSS) remains a persistent stalwart among the OWASP Top 10. Malicious JavaScript code injected into the DOM is all it takes to compromise a user’s data and avoid conventional, server-side centered XSS vulnerability scanning techniques. Let’s take a closer look at DOM-based Cross-site Scripting (XSS) vulnerabilities and how the Acunetix DeepScan technology can help you prevent a hack.

The Document Object Model (DOM) lets web developers dictate through HTML source code how a user’s web browser should display a web page. DOM-based XSS attacks seek to exploit the DOM in a simple two-step process:

Create a Source: Inject a malicious script into a property found to be suceptible to DOM-based XSS attacks. Common injection vectors include document.url, document.location, and document.referrer objects.
Exploit the Sink: A sink is the point in the data flow where the browser will execute the malicious JavaScript code hidden in the DOM. Common sinks include document.write, setTimeout, and setInterval.

For a typical example of how a DOM-based XSS attack is executed, it’s suggested that you read the following article: DOM XSS: An Explanation of DOM-based Cross-Site Scripting.

In order to find the source of a DOM-based XSS vulnerability before the hackers do, you’ll want to scan the client side of your web application with a DOM XSS scanner. The Acunetix Web Vulnerability Scanner contains all the tools you’ll need to sniff out DOM XSS sources. With the highest SQLi and XSS detection rate in the industry, Acunetix can crawl your web application and without fear of false positives.