JS Sources and Sinks

Sources

Native JavaScript

• document.URL
• document.documentURI
• document.URLUnencoded
• document.baseURI
• location
• location.href
• location.search
• location.pathname
• location.hash
• document.cookie
• document.referrer
• window.name
• history.pushState
• history.replaceState
• localStorage.getItem
• sessionStorage.getItem
• sessionStorage.key

Others

• Ajax (XMLHTTPRequest/Fetch)
• IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
• Database
• Window Messaging

Sinks

DOM-XSS Sinks

• document.write()
• document.writeln()
• document.domain
• element.innerHTML
• element.outerHTML
• element.insertAdjacentHTML()
• element.onevent

JQuery:

• add()
• attr()
• after()
• append()
• appendTo()
• animate()
• insertAfter()
• insertBefore()
• before()
• html()
• prepend()
• prependTo()
• prop()
• replaceAll()
• replaceWith()
• wrap()
• wrapInner()
• wrapAll()
• has()
• constructor()
• init()
• index()
• val()
• jQuery.parseHTML()
• $.parseHTML()

Open-Redirection Sinks

Các sinks sau đây vừa có thể gây ra open redirect vừa có thể gây ra XSS:

• location
• location.host
• location.hostname
• location.href
• location.pathname
• location.search
• location.protocol
• location.assign()
• location.replace()

Các sinks khác:

• open()
• element.srcdoc
• XMLHttpRequest.open()
• XMLHttpRequest.send()
• jQuery.ajax()
• $.ajax()

Cookie Manipulation Sink

• document.cookie

JavaScript Injection Sinks

• eval()
• Function()
• setTimeout()
• setInterval()
• setImmediate()
• execCommand()
• execScript()
• msSetImmediate()
• range.createContextualFragment()
• crypto.generateCRMFRequest()
• <script>PAYLOAD</script>
• <div onclick='PAYLOAD'>

Document-Domain Manipulation Sink

• document.domain

WebSocket-URL Poisoning Sink

• WebSocket

Link Manipulation Sinks

• element.href
• element.src
• element.action

Ajax Request-Header Manipulation Sinks

• XMLHttpRequest.setRequestHeader()
• XMLHttpRequest.open()
• XMLHttpRequest.send()
• jQuery.globalEval()
• $.globalEval()

Local File-Path Manipulation Sinks

• FileReader.readAsArrayBuffer()
• FileReader.readAsBinaryString()
• FileReader.readAsDataURL()
• FileReader.readAsText()
• FileReader.readAsFile()
• FileReader.root.getFile()

Client-Side SQL-Injection Sink

• executeSql()

HTML5 Storage Manipulation Sinks

• sessionStorage.setItem()
• localStorage.setItem()

XPath Injection Sinks

• document.evaluate()
• element.evaluate()

Client-Side JSON Injection Sinks

• JSON.parse()
• jQuery.parseJSON()
• $.parseJSON()

DOM-Data Manipulation Sinks

• script.src
• script.text
• script.textContent
• script.innerText
• element.setAttribute()
• element.search
• element.text
• element.textContent
• element.innerText
• element.outerText
• element.value
• element.name
• element.target
• element.method
• element.type
• element.backgroundImage
• element.cssText
• element.codebase
• document.title
• document.implementation.createHTMLDocument()
• history.pushState()
• history.replaceState()

Denial Of Service Sinks

• requestFileSystem()
• RegExp()

Attribute Manipulation Sinks

• element.setAttribute('href', notLiteralSource);. Element có thể là img, iframe, script hoặc a.
• element.setAttribute('src', notLiteralSource);. Element có thể là img, iframe, script hoặc a.
• script.setAttribute('text', notLiteralSource);
• script.setAttribute('innerText', notLiteralSource);
• element.setAttribute('on*', source);
• element.setAttribute('value', source);

Resources

• DOM-based vulnerabilities | Web Security Academy
• Client XSS Sinks - DomGoat
• DOM XSS Sources & Sinks - Google Sheets