{"detect":{"cwe":"CWE-79","exploit_examples":["/dom/#<img src=x onerror=alert(1)>"],"notes":"Server never sees the fragment. Response-only DAST scanners miss this; needs a headless browser or static JS analysis.","owasp":"A03:2021 \u2014 Injection (XSS)","scanner_should_fire":true,"sinks":["element.innerHTML <- location.hash"],"subtype":"dom-based","success_markers":["alert(1)"],"tags":["dom","client-side-sink","fragment-only","invisible-to-server"]},"lab_url":"/dom/","sink":"element.innerHTML","slug":"dom","source_url":"/source/dom","summary":"Pure client-side sink. No reflection through the server.","title":"DOM-based XSS (location.hash \u2192 innerHTML)","vulnerable":true}