System administrator / DevOps / Ethical Penetration tester
In this section, we’ll look at what DOM-data manipulation is, discuss the potential impact of this kind of attack, and look at ways to reduce your exposure to DOM-data manipulation vulnerabilities.
What is DOM-data manipulation?
DOM-data manipulation vulnerabilities arise when a script writes attacker-controllable data to a field within the DOM that is used within the visible UI or client-side logic. An attacker may be able to use this vulnerability to construct a URL that, if visited by another user, will modify the appearance or behavior of the client-side UI. DOM-data manipulation vulnerabilities can be exploited by both reflected and stored DOM-based attacks.
What is the impact of DOM-data manipulation?
At the lesser end of the scale, an attacker may be able to leverage this vulnerability to perform virtual defacement of the website, such as changing text or images that are displayed on a particular page. However, attacks can be more severe. For example, if the attacker is able to change the
Which sinks can lead to DOM-data manipulation vulnerabilities?
The following are some of the main sinks that can lead to DOM-data manipulation vulnerabilities:
script.src script.text script.textContent script.innerText element.setAttribute() element.search element.text element.textContent element.innerText element.outerText element.value element.name element.target element.method element.type element.backgroundImage element.cssText element.codebase document.title document.implementation.createHTMLDocument() history.pushState() history.replaceState()
How to prevent DOM-data manipulation vulnerabilities
In addition to the general measures described on the DOM-based vulnerabilities page, you should avoid allowing data from any untrusted source to be dynamically written to DOM-data fields. The relevant code and execution paths should be reviewed to determine whether this vulnerability is indeed present, or whether mitigations are in place that would prevent exploitation.