DOM-Based Cross-Site Scripting

The wide spread of contemporary web applications heavily dependent on client-side JavaScript and mobile applications using JavaScript to achieve cross-platform compatibility has led to the emergence of a new type of cross-site scripting. DOM-based XSS does not introduce a new way of how the exposure can occur (reflected or stored), but rather the new location of where the payload is being constructed.

In this paper we’ll explain why DOM-based vulnerabilities cannot effectively be discovered through standard white box or black box testing and what that means for your security program.