Script http-dombased-xss

Script types: portrule
Categories: intrusive, exploit, vuln

Script Summary

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here:

See also:

Script Arguments


The pages to test. For example, {/index.php, /profile.php}. Default: nil (crawler mode on)


See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script http-dombased-xss.nse <target>

DOM-based XSS occur in client-side JavaScript and this script tries to detect
them by using some patterns. Please note, that the script may generate some
false positives. Don't take everything in the output as a vulnerability, if
you don't review it first.

Most of the patterns used to determine the vulnerable code have been taken
from this page:

Script Output

80/tcp open  http    syn-ack
| http-dombased-xss:
| Spidering limited to: maxdepth=3; maxpagecount=20;
|   Found the following indications of potential DOM based XSS:
|     Source: document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")
|     Pages:,
|     Source: document.write(document.URL.substring(pos,document.URL.length)
|_    Pages:



  • George Chatzisofroniou

License: Same as Nmap--See