Create dom-xss.yaml

2021-07-28 13:49:30 -05:00 · 2021-07-28 13:49:30 -05:00 · 58d7691435
parent 6d205308ea
commit 58d7691435
1 changed files with 46 additions and 0 deletions
--- a/file/xss/dom-xss.yaml
+++ b/file/xss/dom-xss.yaml
@ -0,0 +1,46 @@
+id: dom-xss
+
+info:
+  name: DOM XSS Sources & Sinks
+  reference: Inspired by https://portswigger.net/blog/introducing-dom-invader
+  # The existence of a sink or source does not by itself indicate a vulnerability. Due diligence must be performed on the results before opening a bug report.
+  author: geeknik
+  severity: info
+  tags: dom,xss,file
+
+file:
+  - extensions:
+      - js
+      - ts
+      - html
+      - php
+      - cs
+      - rb
+      - py
+
+    extractors:
+      - type: regex
+        name: sink
+        part: body
+        regex:
+          - 'jQuery(\.globalEval|\.\$|\..constructor|\.parseHTML|\.has|\.init|\.index|\.add|\.append|\.appendTo|\.after|\.insertAfter|\.before|\.insertBefore|\.html|\.prepend|\.prependTo|\.replaceWith|\.replaceAll|\.wrap|\.wrapALL|\.wrapInner|\.prop\.innerHTML|\.prop\.outerHTML|\.attr\.onclick|\.attr\.onmouseover|\.attr.onmousedown|\.attr\.onmouseup|\.attr\.onkeydown|\.attr\.onkeypress|\.attr\.onkeyup|\.attr\.href|\.attr\.src|\.attr\.data|\.attr\.action|\.attr\.formaction|\.prop\.href|\.prop\.src|\.prop\.data|\.prop\.action|\.prop\.formaction)'
+          - 'eval|Function|execScript|msSetImmediate|fetch(\.body)?|form\.action|websocket|RegExp|javascriptURL|createContextualFragment|webdatabase\.executeSql|JSON\.parse'
+          - 'fetch(\.body)?'
+          - 'history(\.pushState|\.replaceState)'
+          - '(session|local)Storage(\.setItem(\.name|\.value))'
+          - 'anchor(\.href|\.target)'
+          - 'button(\.formaction|\.value)'
+          - 'set(Timeout|Interval|Immediate)'
+          - 'script(\.src|\.textContent|\.innerText|\.innerHTML|\.appendChild|\.append)'
+          - 'document(\.write|\.writeln|\.implementation\.createHTMLDocument|\.domain|\.cookie|\.evaluate)'
+          - 'element(\.outerText|\.innerText|\.textContent|\.style\.cssText|\.innerHTML|\.outerHTML|\.insertAdjacentHTML|\.setAttribute(\.onclick|\.onmouseover|\.onmousedown|\.onmouseup|\.onkeydown|\.onkeypress|\.onkeyup|\.href|\.src|\.data|\.action|\.formaction))'
+          - 'location(\.href|\.replace|\.assign|\.pathname|\.protocol|\.host|\.hostname|\.hash|\.search)?'
+          - 'iframe(\.srcdoc|\.src)'
+          - 'xhr(\.open|\.send|\.setRequestHeader(\.name|\.value)?)'
+      - type: regex
+        name: source
+        part: body
+        regex:
+          - 'location(\.href|\.hash|\.search|\.pathname)?'
+          - 'window\.name'
+          - 'document(\.URL|\.referrer|\.documentURI|\.baseURI|\.cookie)'