In this section, we’ll talk about what DOM-based link manipulation is, look at the impact of an attack, and suggest ways of preventing them.

What is DOM-based link manipulation?

DOM-based link-manipulation vulnerabilities arise when a script writes attacker-controllable data to a navigation target within the current page, such as a clickable link or the submission URL of a form. An attacker might be able to use this vulnerability to construct a URL that, if visited by another application user, will modify the target of links within the response.

What is the impact of a DOM-based link-manipulation attack?

An attacker may be able to leverage this vulnerability to perform various attacks, including:

• Causing the user to be redirected to an arbitrary external URL, which could facilitate a phishing attack.
• Causing the user to submit sensitive form data to a server controlled by the attacker.
• Changing the file or query string associated with a link, causing the user to perform an unintended action within the application.
• Bypassing browser anti-XSS defenses by injecting on-site links containing XSS exploits. This works because anti-XSS defenses do not typically account for on-site links.

Which sinks can lead to DOM-based link-manipulation vulnerabilities?

The following are some of the main sinks that can lead to DOM-based link-manipulation vulnerabilities:

element.href
element.src
element.action

How to prevent DOM-based link-manipulation vulnerabilities

In addition to the general measures described on the DOM-based vulnerabilities page, you should avoid allowing data from any untrusted source to dynamically set the target URL for links or forms.