Fast Feed

Beyond Alert Boxes: Exploiting DOM XSS for Full Account Takeover

1 min read

Summary

  • A Medium blog post has highlighted how a DOM XSS (cross-site scripting) vulnerability can be used to gain full control of a user’s account.
  • The author explains that XSS is a web vulnerability that is often underestimated, but which can have severe repercussions.
  • In the case described, the articleId parameter on the targeted website was being improperly handled in client-side JavaScript, allowing malicious scripts to be injected into the victim’s browser DOM (Document Object Model).
  • The post includes technical details of the vulnerability and explains several steps that could have been taken to prevent this type of attack, including using input validation to make sure aliases are present in the front end and making use of a content security policy (CSP) to restrict the sources from which scripts can be loaded.
  • The post concludes by warning that failure to handle user-controlled data properly in the DOM leaves organisations open to severe security risks.

By Ehtesham Ul Haq

Original Article