https://securitymb.github.io/xss/1/?xss=sink main.js
url += `/xss/1/modules/${CONFIG.version}/${moduleName}.js`;const sc = document.createElement('script');sc.src = url;document.body.appendChild(sc);
无法检测URL是sink,如上所示:目前CodeQL可以识别如下所示的‘script’和sc是SINK
const sc = document.createElement(‘script’); document.body.appendChild(sc);
javascript\ql\lib\semmle\javascript\security\dataflow\Xss.qll
class DomSink extends Sink {DomSink() {// Call to a DOM function that inserts its argument into the DOMany(DomMethodCallExpr call).interpretsArgumentsAsHTML(this.asExpr())or// Assignment to a dangerous DOM propertyexists(DomPropWriteNode pw |pw.interpretsValueAsHTML() andthis = DataFlow::valueNode(pw.getRhs()))or// `html` or `source.html` properties of React Native `WebView`exists(ReactNative::WebViewElement webView, DataFlow::SourceNode source |source = webView orsource = webView.getAPropertyWrite("source").getRhs().getALocalSource()|this = source.getAPropertyWrite("html").getRhs())}}
javascript\ql\lib\semmle\javascript\frameworks\Angular2.qll
/** A value that is about to be promoted to a trusted HTML or CSS value. */private class AngularXssSink extends DomBasedXss::Sink {AngularXssSink() {this =domSanitizer().getAMethodCall(["bypassSecurityTrustHtml", "bypassSecurityTrustStyle"]).getArgument(0)}}
javascript\ql\lib\semmle\javascript\frameworks\Cheerio.qll
/*** XSS sink through `cheerio`.*/class XssSink extends Xss::DomBasedXss::Sink {XssSink() {exists(string name | this = cheerioObjectRef().getAMethodCall(name).getAnArgument() |JQuery::isMethodArgumentInterpretedAsHtml(name))}}
案例
若有收获,就点个赞吧
0 人点赞
