-
Notifications
You must be signed in to change notification settings - Fork 73
Direct Execution sinks
Ohpe edited this page Jan 29, 2016
·
1 revision
The following JavaScript functions parse strings as JavaScript. If it is possible to control, even partially, the vulnerable argument, then it is possible to execute JavaScript.
Function Name | Argument | Browser | Example |
---|---|---|---|
eval |
first | All | eval("jsCode"+usercontrolledVal ) |
Function |
first if there's one, the last if >1 args | All | Function("jsCode"+usercontrolledVal ) , Function("arg","arg2","jsCode"+usercontrolledVal ) |
setTimeout |
first IIF it is a string | All | setTimeout("jsCode"+usercontrolledVal ,timeMs) |
setInterval |
first IIF it is a string | All | setInterval("jsCode"+usercontrolledVal ,timMs) |
setImmediate |
first IIF it is a string | IE 10+ |
setImmediate ("jsCode"+usercontrolledVal ) |
execScript |
first | IE 6+ | execScript("jsCode"+usercontrolledVal ,"JScript") |
crypto.generateCRMFRequest |
5th | Firefox 2+ | crypto.generateCRMFRequest('CN=0',0,0,null,'jsCode'+usercontrolledVal,384,null,'rsa-dual-use') |
ScriptElement.src |
assignedValue | All | script.src = usercontrolledVal |
ScriptElement.text |
assignedValue | Explorer | script.text = 'jsCode'+usercontrolledVal |
ScriptElement.textContent |
assignedValue | All but IE<9 | script.textContent = 'jsCode'+usercontrolledVal |
ScriptElement.innerText |
assignedValue | All but Firefox | script.innerText = 'jsCode'+usercontrolledVal |
anyTag.onEventName | assignedValue | All | anyTag.onclick = 'jsCode'+usercontrolledVal |
(TBF)
- Home
- Sources
-
Sinks
- Direct Execution Sinks
- Set Object Sinks
- HTML Manipulation Sinks
- Style Sinks
- XMLHttpRequest Sink
- Set Cookie Sink
- Set Location Sink
- Control Flow Sink
- [Use of Equality And Strict Equality](Use of Equality And Strict Equality)
- Math.random Sink
- JSON Sink
- XML Sink
- [Common JavaScript libraries](Common JavaScript libraries)
- String Manipulation Methods
- Local DOMXSS
- Finding DOMXSS
- Object Shadowing
- Filters
- Glossary
- References