Much of the scariest XSS (aka, most difficult to prevent) comes from the DOM these days.
Edge, FF and Chrome don't follow the spec as well as they should, and the result is a lot of minor browser incompatibilities that are very hard to detect and fix.
Each browser is making modifications to the DOM spec, many of whom make introducing XSS and XSRF into a web app very easy.
Deep DOM and JS knowledge is a must have for pen testers these days.
document.cookie = 'secret=123';
const parser = new DOMParser();
const html = parser.parseFromString('', 'text/html');
console.log(html.cookie);
prints secret=123 because of an improperly implemented inheritance model. other browsers do NOT inherit cookies from main document as a result of following the spec closer
Edge, FF and Chrome don't follow the spec as well as they should, and the result is a lot of minor browser incompatibilities that are very hard to detect and fix.
Each browser is making modifications to the DOM spec, many of whom make introducing XSS and XSRF into a web app very easy.
Deep DOM and JS knowledge is a must have for pen testers these days.