DOM‑based Cross‑Site Scripting

DOM‑based XSS occurs when the client‑side script processes user input and writes it directly back to the DOM. In Juice Shop, the search function reflects HTML without sanitisation, allowing attackers to execute arbitrary JavaScript in the browser.

• Open the search page or product finder in Juice Shop.
• Enter a malicious string containing HTML/JavaScript into the search field.
• The application injects the unfiltered string into the page, causing the script to run.

Sample payloads:

<svg/onload=alert('DOMXSS')>
<img src="x" onerror="document.body.innerHTML='Hacked!'">

• Execution of malicious JavaScript in the victim’s browser.
• Manipulation of the DOM to deface pages or exfiltrate data.
• Potential propagation of the attack via links or bookmarks.

• Avoid using innerHTML or similar APIs to insert untrusted content.
• Use safe DOM methods (e.g., textContent, append()) to handle user input.
• Employ a robust sanitisation library for any dynamic HTML generation.