A New Approach to Detecting DOM Injections with Data Science

The DOM provides developers with flexible and powerful tools for real-time page content manipulation. However, this flexibility also becomes a vulnerability — the interface can be exploited in unintended ways.

Why DOM Injections Have Become Especially Hard to Detect

DOM injections are a type of client-side attack in which malicious code is injected directly into the page structure on the user's side. The script runs in the browser, intercepts actions, accesses data, and alters interface behavior — all without interacting with the server or triggering traditional security tools.

Attackers continue to refine their methods, while conventional security measures are losing effectiveness. Here’s why:

1. The Size and Complexity of Modern Applications

Most web products use dozens of external scripts loaded from various CDNs. This opens the door to injection attacks: malicious code is injected into obscure dependencies and remains unnoticed. Traditional signature-based tools fail to detect the majority of such attacks.

2. Obfuscation and Dynamic Injections

Modern attacks rarely use straightforward script injections. Instead, malicious code is embedded into legitimate frameworks or only activates under specific user actions. These scenarios bypass static rules and render template-based detection ineffective.

3. Limitations of Traditional Tools

Domain blacklists, offline scanners, and both static and most dynamic rules are unable to detect threats forming in real time. Modern attacks dynamically assemble their codebase inside the browser. By the time protection systems see it — the incident has usually already occurred.

Common Types of DOM Injections

• Interface manipulation: replacing links and controls to redirect users to malicious resources

• Hidden keylogging: tracking text input, user actions, and sending data to third-party servers

• DOM element spoofing: displaying fake forms, pop-ups, or banners to steal user data

• CSP bypass: exploiting trusted loaders, subdomains, or data: URLs to circumvent security policies

JuicyScore's Approach: DTS Detection System

To counter these threats, we developed DTS (Direct & Correlated Detection System) — a hybrid solution combining deep DOM monitoring with behavioral session analysis in real time.

Direct Detection (DOM API Instrumentation)

We monitor critical DOM API calls — such as appendChild, setAttribute, eval — and detect deviations from legitimate behavior patterns. This enables early identification of suspicious page structure modifications before they affect users.

Behavioral Detection (Session Analysis)

DOM injections don’t occur in a vacuum. Data science tools help us analyze the full session behavior in detail:

• Browser API integrity violations

• Behavior associated with high final session risk

• Multiple page reloads

• Abnormal virtual user activity or artificial session slowdown, etc.

• Identifying correlations of this nature allows us to uncover additional threats and DOM-level attack patterns.

Early Results

• Single injections in real user sessions: at least one high-risk injection (usually from third-party widgets) is detected in ~1% of global sessions and is automatically handled.

• Multiple injections in real user sessions: <0.2% of sessions contain multiple injections, requiring immediate high-priority response.

• Risk discovery: our new data science approach detects over 40% of high-risk injection sessions that went unnoticed under previous detection models.

• Speed and accuracy: DTS has increased detection speed and accuracy by over 10x and reduced manual analysis time by more than 80%.

What’s Next?

In the upcoming API17+ release, we will introduce:

• Expanded server-side telemetry for identifying dangerous injections

• Improved risk scoring algorithms

• The ability to block DOM injections before they affect end users — at the very moment they appear in the DOM

How to Protect Your business Today

DOM injections are a form of attack that largely evade traditional security solutions. JuicyScore offers a different approach: dynamic behavioral analysis combined with deep client-side inspection. This method enables early-stage threat detection and damage prevention — before it happens.

If your web application relies on third-party scripts, now is the time to upgrade your web protection strategy.