XSS (10)

Identify potential for DOM-Based XSS

DOM-Based XSS can usually be found by looking for the route configurations in the client-side code. Look for a route that takes inputs that are being "reflected" to the page.

For this example, you will want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary JavaScript library). Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).

Your objective is to find the route and exploit it. First though …​ what is the base route? As an example, look at the URL for this lesson …​ it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is: start.mvc#lesson/ The CrossSiteScripting.lesson/9 after that are parameters that are processed by the JavaScript route handler.

So, what is the route for the test code that stayed in the app during production? To answer this question, you have to check the JavaScript source.


  • Open the Development Tools in the browser, and go to the Debugger tab.

  • Locate the goatApp/View/GoatRouter.js file and open it.

  • Look for routes to find 'test/:param': 'testRoute'.

  • The expected answer is then start.mvc#test/.

Last updated