A sink is a potentially dangerous JavaScript function or DOM object that can cause undesirable effects if attacker-controlled data is passed to it.
Source: portswigger.net
Element.innerHTML
eval()
Function()
Iframe.srcdoc
Element.outerHTML
document.location.href
jQuery.globalEval
A browser extension that allows you to monitor, intercept, and debug JavaScript sinks based on customizable configurations.
List of sinks
(config)
Target websites
Sink is used
Information logged
When DOM Invaders exists...
DOM Invaders is an incredible extension; I just wanted something that fit my needs
New devtools
menu
New devtools
menu
Sink information
New devtools
menu
Customizable
filter
Sink information
New devtools
menu
Customizable
filter
Search bar
Sink information
New devtools
menu
Customizable
filter
Reload the page with a debugger
Search bar
Sink information
(New features from version 1.0.4)
Reflected pathname in single quotes
/0123456789abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ!$%&'()*+,-.:;=@[]_|~
Not URL encoded pathname chars
Reflected pathname in single quotes
Reflected pathname in single quotes
Reflected pathname in single quotes
{
"hooks": {
"REFLECTED": {
"attribute": [
"document.documentElement.innerHTML"
]
}
},
"config": {
"REFLECTED": {
"match": [
"exec:return `'${document.location.pathname}'`"
]
}}}
<div id="elem"></div>
<div id="elem2"></div>
<script src="/purify.min.js"></script>
<script>
elem.innerHTML = DOMPurify.sanitize(
(new URLSearchParams(location.search)).get("user-input")
);
// ...
elem2.innerHTML = document.getElementById("elem-X").dataset.get("attr-X");
</script>
Imagine that everything occurs in a minified JS file in two different places
Sanitized input with query selector
{
"hooks": {
"REQUIRED": {
"attribute": [ "set:Element.prototype.innerHTML" ]
},
"TARGET": {
"function": [ "document.getElementById" ]
},
"config": {
"REQUIRED": { "match": [ "canary-name" ] },
"TARGET": { "requiredHooks": [ "REQUIRED" ] }
}}
Sanitized input with query selector
Rhackgondins team ❤
https://github.com/kevin-mizu/domloggerpp