This is an unusual type of XSS. DOM based XSS differs from other XSS by the fact that the XSS happens by the execution of user-supplied input on the DOM of the browser instead of normally sneaking into the HTML, which is the case in typical XSS vulnerabilities. In other words, the user-supplied input is not generated as a part of the HTTP response body.
Check the following piece of code to better understand DOM-based XSS:
name = location.hash.substring(1);
document.write(“Hey “+unescape(name)+”! Nice to meet you“);
The previous code receives an input from location.hash and then uses that to create a message using the document.write() function dynamically.
If you tried the code, you can see something is displayed, which is taken from the location.hash attribute.If the input contained something malicious, like an XSS payload, then what would happen?
If an attacker was able to inject XSS payload into the location.hash property, the payload will be written to the DOM through document.write(), which writes the payload into the page.
Now, we have an XSS payload in the input and that input or source reaches the DOM sink that is the document.write function, resulting in a cross-site scripting flaw.