Skip to main content
Information Security

Return to Answer

deleted 48 characters in body
Source Link
schroeder
schroeder
  • 134k
  • 55
  • 309
  • 356

The DOM XSS attack needs DOM elements to be a successful attack and it's necessary JS code. Now, you can do XSS attacks on page without JS Code, this is possible using the reflected or persistent XSS attacks, for example, you have the next field on your HTML form and the web application reflects the value on that field or gets the value from a database or another kind of data storage, and places that data on the value attribute of the field:

<input id="user" name="user" value="{value_from_server}" />

You can inject something like this:

" /><script>alert("XSS");</script><input id="user2" name="user2" value="

Then if you replace {value_from_server} for the text above, you will have the following result:

<input id="user" name="user" value=" " /><script>alert("XSS");</script><input id="user2" name="user2" value=" " />

As you can see, you just need to know how the web application places the data on your web page and the rest is just creativity, in this case, a web page without JS code could be vulnerable to XSS attacks.

I hope this information helps you.

Good luck.

The DOM XSS attack needs DOM elements to be a successful attack and it's necessary JS code. Now, you can do XSS attacks on page without JS Code, this is possible using the reflected or persistent XSS attacks, for example, you have the next field on your HTML form and the web application reflects the value on that field or gets the value from a database or another kind of data storage, and places that data on the value attribute of the field:

<input id="user" name="user" value="{value_from_server}" />

You can inject something like this:

" /><script>alert("XSS");</script><input id="user2" name="user2" value="

Then if you replace {value_from_server} for the text above, you will have the following result:

<input id="user" name="user" value=" " /><script>alert("XSS");</script><input id="user2" name="user2" value=" " />

As you can see, you just need to know how the web application places the data on your web page and the rest is just creativity, in this case, a web page without JS code could be vulnerable to XSS attacks.

I hope this information helps you.

Good luck.

The DOM XSS attack needs DOM elements to be a successful attack and it's necessary JS code. Now, you can do XSS attacks on page without JS Code, this is possible using the reflected or persistent XSS attacks, for example, you have the next field on your HTML form and the web application reflects the value on that field or gets the value from a database or another kind of data storage, and places that data on the value attribute of the field:

<input id="user" name="user" value="{value_from_server}" />

You can inject something like this:

" /><script>alert("XSS");</script><input id="user2" name="user2" value="

Then if you replace {value_from_server} for the text above, you will have the following result:

<input id="user" name="user" value=" " /><script>alert("XSS");</script><input id="user2" name="user2" value=" " />

As you can see, you just need to know how the web application places the data on your web page and the rest is just creativity, in this case, a web page without JS code could be vulnerable to XSS attacks.

Source Link
hmrojas.p
hmrojas.p
  • 1.1k
  • 1
  • 8
  • 17

The DOM XSS attack needs DOM elements to be a successful attack and it's necessary JS code. Now, you can do XSS attacks on page without JS Code, this is possible using the reflected or persistent XSS attacks, for example, you have the next field on your HTML form and the web application reflects the value on that field or gets the value from a database or another kind of data storage, and places that data on the value attribute of the field:

<input id="user" name="user" value="{value_from_server}" />

You can inject something like this:

" /><script>alert("XSS");</script><input id="user2" name="user2" value="

Then if you replace {value_from_server} for the text above, you will have the following result:

<input id="user" name="user" value=" " /><script>alert("XSS");</script><input id="user2" name="user2" value=" " />

As you can see, you just need to know how the web application places the data on your web page and the rest is just creativity, in this case, a web page without JS code could be vulnerable to XSS attacks.

I hope this information helps you.

Good luck.