System administrator / DevOps / Ethical Penetration tester
Users can be induced to visit the attacker’s malicious URL in various ways, similar to the usual attack-delivery vectors for reflected cross-site scripting vulnerabilities. For more information, please refer to our page on DOM XSS.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim’s session token or login credentials, performing arbitrary actions on the victim’s behalf, or even logging their keystrokes.
eval() Function() setTimeout() setInterval() setImmediate() execCommand() execScript() msSetImmediate() range.createContextualFragment() crypto.generateCRMFRequest()