Skip to content
/ DomXssFinder Public

Find sources and sinks in js code that could lead to DOM XSS πŸ”ŽπŸ’§πŸš°

17 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ariary/DomXssFinder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

20 Commits

README.md

README.md

Β 
Β 

fsink

fsink

Β 
Β 

fsource

fsource

Β 
Β 

Repository files navigation

DomXssFinder

Find sources and sinks in js code that could lead to DOM XSS

πŸ’§ Source := JavaScript property that accepts user controlled data (eg location.search)

🚰 Sink := Potential dangerous JavaScript function or DOM object that can cause indesirable effect if attacker controlled data is pass to it (eg eval)

How ?

> Find sources in js code:

cat [js_file] | fsource

> Find sinks in js code:

cat [js_file] | fsink

πŸ’‘ Tip: To retrieve all js code from an url ~> jse:

export URL=[url]
curl -s $URL -H "Accept: text/html" | jse -u $URL -gather-src 2>/dev/null

Find all related shortcuts: bang πŸ’₯

πŸ’‘ Tip 2: Use -C [NUM] parameter to get more context when source/sink has been found (Print [NUM] lines of output context)

Get ready !

curl -s -lO -L https://github.com/ariary/DomXssFinder/releases/latest/download/fsink 
curl -s -lO -L https://github.com/ariary/DomXssFinder/releases/latest/download/fsource
chmod +x fsink fsource
mv fsink [path in $PATH] && mv fsource [path in $PATH]

Notes

See how to exploit:

About

Find sources and sinks in js code that could lead to DOM XSS πŸ”ŽπŸ’§πŸš°

Topics

security scanner xss bug-bounty pentest dom-xss web-application-security pentest-tool web-application-security-scanner

Resources

Readme
Activity

Stars

17 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 3

v1.0.2 Latest
Jun 6, 2022
+ 2 releases

Packages

No packages published

Languages