\n\nKey differences:\n\nPayload never sent to server (may not appear in logs)\nScript extracts data from URL and writes to DOM\nServer sees clean request, can't detect the attack\nHarder to detect with server-side security tools\n\nGo deeper:\n\n PortSwigger — DOM-based XSS — sources and sinks; why the server never sees the payload.\n\n", "dateModified": "2026-07-05T08:49:35+00:00" } } }

LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does DOM-based XSS differ from server-side XSS?

The payload is never sent to the server — client-side JS reads it from the URL/DOM and writes it into the page, so the server's logs and filters never see the attack.

DOM-based XSS manipulates the page entirely in the browser:

document.write("<OPTION value=1>"+document.location.href.substring(
  document.location.href.indexOf("default=")+8)+"</OPTION>");

Attack URL:

http://www.site/page.html?default=<script>alert(document.cookie)</script>

Key differences:

  • Payload never sent to server (may not appear in logs)
  • Script extracts data from URL and writes to DOM
  • Server sees clean request, can't detect the attack
  • Harder to detect with server-side security tools

Go deeper:

From Quiz: SPRG / Input Validation & Output Encoding | Updated: Jul 05, 2026