How does it work?

DOM-based XSS attacks are those where the injected script is stored in the DOM, such as in a URL parameter, a cookie, or any other input that is processed by the client-side script. The script is then executed by the victim's browser, which does not know that the script should not be trusted [8].

How can it be spotted?

DOM-based XSS attacks can be spotted by looking for user input that is processed by the client-side script without being sanitized. This can be in the form of a URL parameter, a cookie, or any other input that is processed by the client-side script.

How can it be prevented?

DOM-based XSS attacks can be prevented by sanitizing user input before processing it in the client-side script. This can be done by encoding the input or by validating the input against a whitelist of allowed characters, this must be done on the client side to prevent the user bypassing the server side validation.