# Introduction Sboxr DOM is a dedicated tool for DOM Security Analysis that can automatically detect over 30 DOM Security Issues. {% hint style="info" %} It is pronounced as S-BOXER {% endhint %} Web security tools overwhelmingly focus on server-side vulnerabilities. The client-side JS code has become very complex and feature-rich in most modern web applications. So a dedicated tool is needed to analyze this just like there are dedicated tools for analyzing the security of mobile apps. Client-side security analysis usually only goes as far as looking for a few variants of DOM XSS. Any further analysis requires a lot of expertise and is usually very time and effort intensive. This is where Sboxr comes in, right from covering the more obscure variants of DOM XSS to entirely new categories of issues. It will significantly increase your test coverage while simultaneously reducing the time and effort involved. The list of DOM Security Issues found by Sboxr are: | # | Issue | Type | Category | | -- | -------------------------------------------------------------------------------------------------------------------------------- | ------- | -------------- | | 1 | Data from attacker controllable navigation based DOM properties is executed as HTML | Error | Code Execution | | 2 | Data from attacker controllable navigation based DOM properties is executed as JavaScript | Error | Code Execution | | 3 | Data from attacker controllable URL based DOM properties is executed as HTML | Error | Code Execution | | 4 | Data from attacker controllable URL based DOM properties is executed as JavaScript | Error | Code Execution | | 5 | Non-HTML format Data from DOM storage is executed as HTML | Warning | Code Execution | | 6 | Non-JavaScript format Data from DOM storage is executed as JavaScript | Warning | Code Execution | | 7 | HTML format Data from DOM storage is executed as HTML | Info | Code Execution | | 8 | JavaScript format Data from DOM storage is executed as JavaScript | Info | Code Execution | | 9 | Data from user input is executed as HTML | Warning | Code Execution | | 10 | Data from user input is executed as JavaScript | Warning | Code Execution | | 11 | Non-HTML format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Error | Code Execution | | 12 | Non-JavaScript format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Error | Code Execution | | 13 | HTML format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution | | 14 | JavaScript format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution | | 15 | Non-HTML format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution | | 16 | Non-JavaScript format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution | | 17 | HTML format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Info | Code Execution | | 18 | JavaScript format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Info | Code Execution | | 19 | Non-HTML format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution | | 20 | Non-JavaScript format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution | | 21 | HTML format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Info | Code Execution | | 22 | JavaScript format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Info | Code Execution | | 23 | Weak Hashing algorithms are used | Error | Cryptography | | 24 | Weak Encryption algorithms are used | Error | Cryptography | | 25 | Weak Decryption algorithms are used | Error | Cryptography | | 26 | Cryptographic Hashing Operations were made | Info | Cryptography | | 27 | Encryption operations were made | Info | Cryptography | | 28 | Decryption operations were made | Info | Cryptography | | 29 | Potentially Sensitive Data is leaked (via HTTP, Ajax, WebSocket or Cross-Window Messages) | Error | Data Leakage | | 30 | Potentially Sensitive Data is leaked through Referrer Headers | Error | Data Leakage | | 31 | Data is leaked through HTTP | Warning | Data Leakage | | 32 | Data is leaked through WebSocket | Warning | Data Leakage | | 33 | Data is leaked through Cross-Window Messages | Warning | Data Leakage | | 34 | Data is leaked through Referrer Headers | Warning | Data Leakage | | 35 | Potentially Sensitive Data is stored on Client-side Storage (in LocalStorage, SessionStorage, Cookies or IndexedDB) | Warning | Data Storage | | 36 | Data is stored on Client-side Storage (in LocalStorage, SessionStorage, Cookies or IndexedDB) | Info | Data Storage | | 37 | Cross-window Messages are sent insecurely | Error | Communication | | 38 | Cross-site communications are made | Warning | Communication | | 39 | Communications across sub-domains are made | Warning | Communication | | 40 | Same Origin communications are made | Info | Communication | | 41 | JavaScript code is loaded from Cross-site Sources | Warning | JS Code | | 42 | JavaScript code is loaded from across sub-domains | Info | JS Code | | 43 | JavaScript code is loaded from Same Origin | Info | JS Code | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sboxr.com/master.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.