A | B | C | D | E | F | G | |
---|---|---|---|---|---|---|---|
1 | Sources | Description | Example | Sinks | Description | ||
2 | document.URL | Assigned value | eval | 1st Argument | |||
3 | document.documentURI | Assigned value | function | 1st argument if only one else last | |||
4 | document.URLUnencoded | Assigned value; IE only | setTimeout | 1st If and only IF string | |||
5 | document.baseURI | Assigned value | setInterval | 1st If and only IF string | |||
6 | document.cookie | Assigned value | execScript | 1st Argument | |||
7 | document.referrer | Assigned value | crypto.generateCRFMRequest | 5th Argument | |||
8 | location | Assigned value | ScriptElement.src | Assigned value | |||
9 | location.href | Assigned value | ScriptElement.text | Assigned value | |||
10 | location.search | Assigned value | ScriptElement.textContent | Assigned value | |||
11 | location.hash | Assigned value | ScriptElement.innerText | Assigned value | |||
12 | location.pathname | Assigned value | anyTag.onEventName | Assigned value | |||
13 | localStorage.getItem | 1st Argument | localStorage.getItem(literal); localStorage.getItem(variable); | document.write | Any arugment | ||
14 | sessionStorage.getItem | 1st Argument | sessionStorage.getItem(literal); sessionStorage.getItem(variable); | document.writeln | Any arugment | ||
15 | sessionStorage.key | 1st Argument | sessionStorage.key(literal); sessionStorage.key(variable); | anyElement.innerHTML | Assigned value | ||
16 | responseText | Assigned value | xhr.responseText; readonly | Range.createContextualFragment | 1st Argument | ||
17 | data | Assigned value | postMessage; e.data; | HTMLButton.value | Assigned value | ||
18 | value | Assigned value | <textarea>.value; <input>.value | location | Assigned value | ||
19 | name | Assigned value | location.href | Assigned value | |||
20 | window.name | Assigned value | location.pathname | Assigned value | |||
21 | websockets.onMessage | ?? | location.search | Assigned value | |||
22 | location.protocol | Assigned value | |||||
23 | location.hostname | Assigned value | |||||
24 | location.assign() | 1st Argument | |||||
25 | location.replace() | 1st Argument | |||||
26 | element.setAttribute('href', source); | If element is img, iframe, script, anchor and source is not a literal | |||||
27 | Prepared by | @dpnishant | element.setAttribute('src', source); | If element is img, iframe, script, anchor and source is not a literal | |||
28 | Legend | element.setAttribute('text', source); | If element is script and source is not a literal | ||||
29 | Sources Added by me | element.setAttribute('innerText', source); | If element is script and source is not a literal | ||||
30 | Confused... | element.setAttribute('on*', source); | If source is any element | ||||
31 | Practical Use Case? Confused... | element.setAttribute('value', source); | If source is input element | ||||
32 | Sinks added by me | ||||||
33 | Taken from DOMXSSWiki |