Skip to content

Use of document.domain

What does this mean ?

When data is copied from a request and echoed into the application's immediate response within a section of the DOM, it is subsequently handled in an unsafe manner by a client-side script. An attacker can utilize reflection to manipulate a portion of the response (for example, a JavaScript string) that can then be used to exploit the DOM-based vulnerability.

What can happen ?

Document domain manipulation occurs when a script sets the document.domain attribute using controlled data. An attacker might use the flaw to create a URL that, when visited by another application user, causes the response page to set an arbitrary document.domain value.


The best strategy to avoid DOM-based document domain manipulation vulnerabilities is to avoid dynamically setting the document.domain attribute with data from any untrusted source. If the document.domain attribute must be set programmatically from client-side code, the application should use a specified list of allowed values and assign only from that list.

Sample Code

Vulnerable :