All notes
XSS notes
1. DOM-based XSS
1.1. Sources
window.location
window.location.hash
window.location.search
window.location.href
window.location.pathname # In some cases
document.URL
document.documentURI
document.baseURI
document.referrer
URL.search
URL.searchParams.get(param)
input.value
// TBD: Cookies
1.2. Sinks
1.2.1. URL injection
window.location.href = x
window.location.assign(x)
window.location.replace(x)
document.domain = x
1.2.2. DOM injection
element.innerHTML = x
element.outerHTML = x
element.insertAdjacentHTML = x
window.write(x)
document.writeln(x)
1.2.3. Attribute injection
el.setAttribute(attr, x)
el.setAttribute('href', x)
el.setAttribute('src', x)
element.onevent = x
el.style.cssText = x
1.2.4. Code injection
eval(x)
Function(x)
setTimeout(x)
setInterval(x)
setImmediate(x)
execCommand(x)
execScript(x)
1.2.5. Open redirect
history.go(-1)
history.pushState(x)
history.replaceState(x)