Untrusted Types is a Chrome extension that abuses Trusted Types to log DOMXSS sinks. Requires Chrome v85+.
- Download this repo
- Go to Extension in Chrome
- Enable Developer mode
- Load unpacked and choose the repo directory
Untrusted Types works by logging DOM manipulations that could lead to XSS. Simply open DevTools and start debugging. It supports two types of sink discovery.
This is the standward way which is to simply log all sinks and the corresponding changes to the DOM. You start tracing from the sinks back to the sources.
This is useful when there are too many sinks but few sources. Insert the keyword d0mxss
in sources and sinks that contain this string will be highlighted. You start tracing from the sources to the sinks.
Additionally, you can change the keyword and configure whether to only show highlighted sinks in content.js.
- While it covers a majority of sinks, it doesn't cover navigation sinks like
location = user_input
unless it'slocation = 'javascript:' + user_input
. - It doesn't work in websites that are already using Trusted Types. This is not a problem for now because even Google themselves don't use it a lot
- If console logs are not showing the stack trace, refresh the page.
- It will fail on web pages with
<iframe src="javascript:...">
(but fine if dynamically inserted). Check issue #1