In the world of client-side vulnerabilities, few bugs are as silently powerful as DOM-based Cross-Site Scripting (XSS). Unlike traditional reflected or stored XSS, DOM XSS resides entirely in the client’s browser, exploiting the way JavaScript handles untrusted input — often bypassing WAFs, CSPs, and even bug bounty scanners.

In this report, we’ll explore how a critical DOM XSS flaw in Gatecoin’s charting_library allowed an attacker to inject and execute arbitrary JavaScript code by manipulating a URL fragment. The bug was awarded $500, and it perfectly showcases how improper handling of dynamic script imports can lead to full account compromise.

The vulnerable endpoint was located at:

<https://gatecoin.com/widget-trade/assets/charting_library/static/tv-chart.html>

This page took a URL fragment parameter called indicatorsFile and directly passed it into $.getScript(), a jQuery method that loads…