Conosco molto bene le classiche vulnerabilità XSS come quella riflessa & XSS memorizzato. Ho letto molto sulle vulnerabilità XSS basate su DOM e DOM. Sono giunto alla conclusione che non c'è nulla da fare dal lato server per prevenire XSS basato su DOM poiché i vettori di attacco non vengono mai passati al lato server. Allora come possiamo prevenire questo tipo di attacchi?
Definizione tratta da OWASP
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw).
Leggi altre domande sui tag dom vulnerability xss