2024-03-19 15:34:31 +00:00
|
|
|
id: dom-invader-xss
|
2021-07-28 18:49:30 +00:00
|
|
|
|
|
|
|
|
info:
|
2022-09-16 19:50:10 +00:00
|
|
|
name: DOM Invader - Cross-Site Scripting
|
2021-07-28 18:49:30 +00:00
|
|
|
author: geeknik
|
2022-09-16 19:50:10 +00:00
|
|
|
severity: high
|
|
|
|
|
description: DOM Invader contains a cross-site scripting vulnerability in Sources & Sinks functionality.
|
2022-04-22 10:38:41 +00:00
|
|
|
reference:
|
|
|
|
|
- Inspired by https://portswigger.net/blog/introducing-dom-invader
|
2022-09-16 19:50:10 +00:00
|
|
|
classification:
|
|
|
|
|
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
|
|
|
|
|
cvss-score: 7.2
|
|
|
|
|
cwe-id: CWE-79
|
2021-08-02 15:50:22 +00:00
|
|
|
tags: xss,file
|
2021-07-28 18:49:30 +00:00
|
|
|
file:
|
|
|
|
|
- extensions:
|
|
|
|
|
- js
|
|
|
|
|
- ts
|
|
|
|
|
- html
|
2023-07-04 16:04:19 +00:00
|
|
|
- htm
|
2021-07-28 18:49:30 +00:00
|
|
|
- php
|
|
|
|
|
- cs
|
|
|
|
|
- rb
|
|
|
|
|
- py
|
|
|
|
|
|
|
|
|
|
extractors:
|
|
|
|
|
- type: regex
|
|
|
|
|
name: sink
|
|
|
|
|
part: body
|
|
|
|
|
regex:
|
2021-07-28 18:51:10 +00:00
|
|
|
- 'jQuery(\.globalEval|\.\$|\.constructor|\.parseHTML|\.has|\.init|\.index|\.add|\.append|\.appendTo|\.after|\.insertAfter|\.before|\.insertBefore|\.html|\.prepend|\.prependTo|\.replaceWith|\.replaceAll|\.wrap|\.wrapALL|\.wrapInner|\.prop\.innerHTML|\.prop\.outerHTML|\.attr\.onclick|\.attr\.onmouseover|\.attr.onmousedown|\.attr\.onmouseup|\.attr\.onkeydown|\.attr\.onkeypress|\.attr\.onkeyup|\.attr\.href|\.attr\.src|\.attr\.data|\.attr\.action|\.attr\.formaction|\.prop\.href|\.prop\.src|\.prop\.data|\.prop\.action|\.prop\.formaction)'
|
2021-07-28 18:49:30 +00:00
|
|
|
- 'eval|Function|execScript|msSetImmediate|fetch(\.body)?|form\.action|websocket|RegExp|javascriptURL|createContextualFragment|webdatabase\.executeSql|JSON\.parse'
|
|
|
|
|
- 'fetch(\.body)?'
|
|
|
|
|
- 'history(\.pushState|\.replaceState)'
|
|
|
|
|
- '(session|local)Storage(\.setItem(\.name|\.value))'
|
|
|
|
|
- 'anchor(\.href|\.target)'
|
|
|
|
|
- 'button(\.formaction|\.value)'
|
|
|
|
|
- 'set(Timeout|Interval|Immediate)'
|
|
|
|
|
- 'script(\.src|\.textContent|\.innerText|\.innerHTML|\.appendChild|\.append)'
|
|
|
|
|
- 'document(\.write|\.writeln|\.implementation\.createHTMLDocument|\.domain|\.cookie|\.evaluate)'
|
|
|
|
|
- 'element(\.outerText|\.innerText|\.textContent|\.style\.cssText|\.innerHTML|\.outerHTML|\.insertAdjacentHTML|\.setAttribute(\.onclick|\.onmouseover|\.onmousedown|\.onmouseup|\.onkeydown|\.onkeypress|\.onkeyup|\.href|\.src|\.data|\.action|\.formaction))'
|
|
|
|
|
- 'location(\.href|\.replace|\.assign|\.pathname|\.protocol|\.host|\.hostname|\.hash|\.search)?'
|
|
|
|
|
- 'iframe(\.srcdoc|\.src)'
|
|
|
|
|
- 'xhr(\.open|\.send|\.setRequestHeader(\.name|\.value)?)'
|
2023-10-14 11:27:55 +00:00
|
|
|
|
2021-07-28 18:49:30 +00:00
|
|
|
- type: regex
|
|
|
|
|
name: source
|
|
|
|
|
part: body
|
|
|
|
|
regex:
|
|
|
|
|
- 'location(\.href|\.hash|\.search|\.pathname)?'
|
|
|
|
|
- 'window\.name'
|
2023-10-14 11:27:55 +00:00
|
|
|
- 'document(\.URL|\.referrer|\.documentURI|\.baseURI|\.cookie)'
|
2024-04-08 07:07:11 +00:00
|
|
|
# digest: 490a0046304402207cb01583d1a2752ecf4e9fc678dfecec46dfa254251612555d2126e63fc7c7e002202b4d56e018e4837351900cabe41fbb26d0f23c13bfbf5387f8e2161fff66ba60:922c64590222798bb761d5b6d8e72950
|
