In this section, we'll talk about what DOM-based link manipulation is, look at the impact of an attack, and suggest ways of preventing them.
DOM-based link-manipulation vulnerabilities arise when a script writes attacker-controllable data to a navigation target within the current page, such as a clickable link or the submission URL of a form. An attacker might be able to use this vulnerability to construct a URL that, if visited by another application user, will modify the target of links within the response.
An attacker may be able to leverage this vulnerability to perform various attacks, including:
The following are some of the main sinks can lead to DOM-based link-manipulation vulnerabilities:
In addition to the general measures described on the DOM-based vulnerabilities page, you should avoid allowing data from any untrusted source to dynamically set the target URL for links or forms.