A collection of interactive HTML test pages demonstrating various DOM-based XSS and open-redirect sinks. Each page exercises a different sink method (e.g., appendChild
, document.write
, eval
, etc.) across multiple common attacker-controlled sources (inline inputs, query parameters, URL hash, cookies, Web Storage, window.name
, and document.referrer
).
DOM-based-test-cases/
├── index.html # Home page linking to all test cases
├── append_child.html # Test for appendChild sink
├── document_write.html # Test for document.write/document.writeln sinks
├── eval.html # Test for eval() sink
├── function_constructor.html # Test for Function constructor sink
├── inner_html.html # Test for innerHTML/outerHTML sinks
├── insert_adjacent_html.html # Test for insertAdjacentHTML sink
├── open_redirect.html # Test for open-redirect sinks (window.open, location.assign, etc.)
├── post_message.html # Test for postMessage() sink
└── js/ # Supporting JavaScript for test pages
├── lib.js # Shared utility library (cookie/helpers, common functions)
├── append_child.js # Handler for appendChild test
├── document_write.js # Handler for document.write test
├── eval.js # Handler for eval test
├── function_constructor.js # Handler for Function constructor test
├── inner_html.js # Handler for innerHTML test
├── insert_adjacent_html.js # Handler for insertAdjacentHTML test
├── open_redirect.js # Handler for open-redirect test
└── post_message.js # Handler for postMessage test
To use these test cases locally:
-
Clone the repository:
git clone https://github.com/DenisPodgurskii/DOM-based-test-cases.git cd DOM-based-test-cases
-
Serve over HTTP: Some tests rely on query parameters or
document.referrer
. Use a simple HTTP server:-
Python 3:
python -m http.server 8000
-
Node.js (http-server):
npx http-server -p 8000
-
-
Open ``: Visit http://localhost:8000/index.html in your browser to see the list of available test cases.
-
Run a Test: Select a test page, enter a payload (e.g.,
<script>alert(1)</script>
orhttp://evil.com
for redirects), and click the Run/Open button. Check your browser’s console or network inspector to observe the behavior.
Each test page follows the same pattern:
-
Sources Tested:
- Inline input: Manually entered in the page
- Query Parameter:
?payload=
in the URL - Fragment Identifier:
#payload
- Cookie: Stored under
payload
- Local Storage:
localStorage.getItem('payload')
- Session Storage:
sessionStorage.getItem('payload')
- window.name
- document.referrer
-
Sink Method: The specific API or property being tested (e.g.,
appendChild
,eval
,window.open
).
Behavior is logged to the console for visual confirmation and to aid in validating instrumentation (e.g., IAST agents).
Contributions are welcome! To add a new test case:
- Add a new HTML file in the root following the same structure as existing tests.
- Add a corresponding script in the
js/
directory. - Update
index.html
to include a link to your new test. - Submit a pull request describing your test case and sink.
This project is provided under the MIT License unless otherwise specified.