HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack?
The link you mention says that DOM-XSS is the de-facto XSS. This is simply stating that in XSS you are executing scripts (e.g. JavaScript) that are injected into the DOM.
HOW the malicious URL/payload is delivered to the user?
In some cases (reflected XSS) it's phishing: "Hey check out thiswebsit.com?p=[XSS payload]" When the phished user visits the site the script executes in their browser.
In other cases (stored XSS) you may be able to store a script in say, a comment box that is displayed to every other visitor of the site: "Hey this is a great site! [XSS payload]. Now when any user visits the site and your comment is rendered the malicious script is also executed in their browser.
In both cases although you've inserted JavaScript, that payload is not actually visible as text to the end user. The script is however executed in the end user's browser. The script payload may be a simple alert box, it might be a payload that sends their session authentication cookies to a server you control (allowing you to 'login' as them), or a number of other things.
How does the attacker identify a site with a possible DOM based XSS vulnerability?
Burp was already mentioned, this is a great tool.
A very basic way to get started testing/understanding XSS is to ask yourself when viewing a page "What data do I control, and what data is displayed back to me?". If you can test these data points for script injection you are on your way to understanding XSS. Data points that commonly are vulnerable to basic XSS attacks are comments, usernames, profile details, error messages, and search parameters.
I'll answer your second question first. An attacker identifies a DOM based XSS vulnerability just like any other vulnerability, however, they could also use JavaScript analysis tools too as the code is client-side. By probing the site using hacking tools or automated scanners. Automated scanners are not likely to bring up much on the big sites, as they would have already ran these themselves and fixed anything that has come up.
Tools such as Burp can be used in order to manipulate or fuzz parameters, or to analyse the code, and then find out how the site responds.
Regarding how the payload is sent to the vitim... I think your question is regarding all reflected XSS attacks rather than only DOM based reflected XSS. The payload could be sent:
- Via links sent to the victim in a phishing email.
- Via links posted onto a forum that would entice people to click them who have a good chance of being potential victims (e.g. ebay forums for an attack on ebay site itself).
- Redirecting users from compromised websites.
- Paid ads with the XSS URL as the go to location when clicked.