id: dom-xss info: name: DOM Invader - Cross-Site Scripting author: geeknik severity: high description: DOM Invader contains a cross-site scripting vulnerability in Sources & Sinks functionality. reference: - Inspired by https://portswigger.net/blog/introducing-dom-invader classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N cvss-score: 7.2 cwe-id: CWE-79 tags: xss,file file: - extensions: - js - ts - html - htm - php - cs - rb - py extractors: - type: regex name: sink part: body regex: - 'jQuery(\.globalEval|\.\$|\.constructor|\.parseHTML|\.has|\.init|\.index|\.add|\.append|\.appendTo|\.after|\.insertAfter|\.before|\.insertBefore|\.html|\.prepend|\.prependTo|\.replaceWith|\.replaceAll|\.wrap|\.wrapALL|\.wrapInner|\.prop\.innerHTML|\.prop\.outerHTML|\.attr\.onclick|\.attr\.onmouseover|\.attr.onmousedown|\.attr\.onmouseup|\.attr\.onkeydown|\.attr\.onkeypress|\.attr\.onkeyup|\.attr\.href|\.attr\.src|\.attr\.data|\.attr\.action|\.attr\.formaction|\.prop\.href|\.prop\.src|\.prop\.data|\.prop\.action|\.prop\.formaction)' - 'eval|Function|execScript|msSetImmediate|fetch(\.body)?|form\.action|websocket|RegExp|javascriptURL|createContextualFragment|webdatabase\.executeSql|JSON\.parse' - 'fetch(\.body)?' - 'history(\.pushState|\.replaceState)' - '(session|local)Storage(\.setItem(\.name|\.value))' - 'anchor(\.href|\.target)' - 'button(\.formaction|\.value)' - 'set(Timeout|Interval|Immediate)' - 'script(\.src|\.textContent|\.innerText|\.innerHTML|\.appendChild|\.append)' - 'document(\.write|\.writeln|\.implementation\.createHTMLDocument|\.domain|\.cookie|\.evaluate)' - 'element(\.outerText|\.innerText|\.textContent|\.style\.cssText|\.innerHTML|\.outerHTML|\.insertAdjacentHTML|\.setAttribute(\.onclick|\.onmouseover|\.onmousedown|\.onmouseup|\.onkeydown|\.onkeypress|\.onkeyup|\.href|\.src|\.data|\.action|\.formaction))' - 'location(\.href|\.replace|\.assign|\.pathname|\.protocol|\.host|\.hostname|\.hash|\.search)?' - 'iframe(\.srcdoc|\.src)' - 'xhr(\.open|\.send|\.setRequestHeader(\.name|\.value)?)' - type: regex name: source part: body regex: - 'location(\.href|\.hash|\.search|\.pathname)?' - 'window\.name' - 'document(\.URL|\.referrer|\.documentURI|\.baseURI|\.cookie)' # digest: 4a0a004730450220156c7817e33c48d906821587c273a5b1ecd3ed8996c0616e7468f27a46d04aec022100893e4c2dce9b2668a6643dd2fbe05f4a536c3b2df1e7223d971503333da4fb7f:922c64590222798bb761d5b6d8e72950