How does DOM-based XSS differ from server-side XSS?
The payload is never sent to the server — client-side JS reads it from the URL/DOM and writes it into the page, so the server's logs and filters never see the attack.
DOM-based XSS manipulates the page entirely in the browser:
document.write("<OPTION value=1>"+document.location.href.substring(
document.location.href.indexOf("default=")+8)+"</OPTION>");
Attack URL:
http://www.site/page.html?default=<script>alert(document.cookie)</script>
Key differences:
- Payload never sent to server (may not appear in logs)
- Script extracts data from URL and writes to DOM
- Server sees clean request, can't detect the attack
- Harder to detect with server-side security tools
Go deeper:
PortSwigger — DOM-based XSS — sources and sinks; why the server never sees the payload.