-
Notifications
You must be signed in to change notification settings - Fork 75
HTML Manipulation sinks
Ohpe edited this page Jan 29, 2016
·
1 revision
The following operations allow HTML manipulation. If it is possible to control, even partially, the vulnerable argument, then it is possible to manipulate, to some extent the HTML and consequently, gain control of the user interface or execute JavaScript using classic Cross Site Scripting attacks.
| Sink | Argument | Browser | Example | Note |
|---|---|---|---|---|
document.write |
any | All | document.write("htmlString"+ usercontrolledVal) | |
document.writeln |
any | All | document.writeln("htmlString"+ usercontrolledVal) | |
| anyElement.innerHTML | assigned value | All | divEl.innerHTML = "htmlString"+ usercontrolledVal | |
Range.createContextualFragment |
first arg | All | range.createContextualFragment("htmlString"+ usercontrolledVal ) | |
| HTMLButton.value | assigned value | Explorer | buttonTag.value = "htmlString"+ usercontrolledVal | Equivalent to buttonTag.innerHTML assignment case |
(TBF)
- Home
- Sources
-
Sinks
- Direct Execution Sinks
- Set Object Sinks
- HTML Manipulation Sinks
- Style Sinks
- XMLHttpRequest Sink
- Set Cookie Sink
- Set Location Sink
- Control Flow Sink
- [Use of Equality And Strict Equality](Use of Equality And Strict Equality)
- Math.random Sink
- JSON Sink
- XML Sink
- [Common JavaScript libraries](Common JavaScript libraries)
- String Manipulation Methods
- Local DOMXSS
- Finding DOMXSS
- Object Shadowing
- Filters
- Glossary
- References