Sinks

Sinks classifications

Untrusted sinks are functions or object where data can be executed.
Possible sinks: variables, parameters given to a particular function, instructions of particular type (e.g., jump instructions)

Code Execution Sinks	JavaScript and DOM have several APIs that accept string values and evaluate them as JavaScript code. The interpreted code will run in the same context as these sinks. If outsiders can control the values fed to these APIs, it will lead to the most straightforward cross-site scripting exploits. Typical sinks of this kind include eval and the innerHTML property of \	JavaScript code that is safe for browsers to execute
URL Navigation Sinks	Many DOM APIs interpret strings as interactive URLs that navigate users to other web resources. In modern web applications, URLs can have schemes with rich semantics attached and can direct browsers to perform complicated actions, including executing arbitrary code. For example, following URLs of the ”javascript:” scheme causes immediate code execution. Therefore, DOM APIs accepting navigational URLs are in general prone to XSS vulnerabilities.	URLs that are safe for browsers to follow
Loadable URL Sinks	In some cases, DOM URLs are not for users to interact with. Instead, they are used to instruct browsers to request and load additional resources needed to render web pages, including executable JavaScript code. Typical examples include the src property of script and link elements. Attackers can perform cross-site scripting by injecting URLs pointing to contents they control. The Content-Security Policy (CSP) is a countermeasure against XSS attacks through loadable URL injection, but there are many cases where CSP is ineffective or can be sophisticatedly bypassed	URLs pointing to resources that contain trusted JavaScript or CSS code.
HTML Sinks	Some DOM sinks interpret string values as arbitrary HTML markup. The most straightforward way to exploit those sinks is to inject JavaScript code marked by the script. In some complicated attacks, HTML sinks can be used to spawn other kinds of sinks.	HTML that is safe to render in a user’s browser.
CSS Sinks	There are DOM APIs in JavaScript for developers to dynamically control how browsers render HTML elements by changing their associated Cascading Style Sheets (CSS). In ancient browsers like IE 6 and IE 7, JavaScript code can be embedded into CSS and will be executed when the style sheets are loaded.	CSS declarations that can be safely used as in-line style values of HTML elements

Injection sinks

Untrusted sinks are functions or objects where data can be executed.
Possible sinks: variables, parameters given to a particular function, instructions of particular type (e.g., jump instructions)

Sink name	Sink type	Function	Rendering context	Resulting exploit
eval()	Global API	Direct code conversion	Javascript context	Direct execution sink: Script injection
function()	Global API	Direct execution sink	Javascript context	Direct code conversion
setTimeout()	Global API	Direct code conversion	Javascript context	Direct execution sink: Script Injection
setInterval()	Global API	Direct code conversion	Javascript context	Direct execution sink: Script Injection
setImmediate()	Global API	Direct execution sink	Javascript context	Direct code conversion
execScript	Global API	Direct code conversion	Javascript context	Direct execution sink: Script Injection
crypto.generateCRMFRequest	Direct execution sink	Javascript context
ScriptElement.src	Direct execution sink	Javascript context	Modifying script source attributes
ScriptElement.text	Direct execution sink	Javascript context	Modifying script source attributes
ScriptElement.textContent	Direct execution sink	Javascript context	Modifying script source attributes
ScriptElement.innerText	Direct execution sink	Javascript context	Modifying script source attributes
<script></script>	Direct execution sink	Javascript context
<anyTag.onEventName='payload'>	Property	Direct execution sink	Javascript context	DOM modification at runtime
document.cookie	? API	?	?	HTML code injection, Session fixation attacks
document.write()	Global API	DOM modification at rendering	HTML context	HTML code injection
document.writeln()	Global API	DOM modification at rendering	HTML context	HTML code injection
Element.innerHTML	Property	HTML injection sink	HTML context	DOM modification at runtime
Element.outerHTML	Property	HTML injection sink	HTML context	DOM modification at runtime
Element.setAttribute()	Global API	HTML injection sink	HTML context	DOM modification at runtime
Element.insertAdjacentHTML()	Global API	HTML injection sink	HTML context	DOM modification at runtime
Range.createContextualFragment	Local API	HTML injection sink	HTML context	DOM modification at runtime
HTMLButton.value	HTML injection sink	HTML context
parseFromString()		HTML injection sink	HTML context
location	Location sink	Evaluates JavaScript URIs
location	Location sink	Evaluates JavaScript URIs
location.href	Location sink	Evaluates JavaScript URIs
location.protocol	Location sink	Evaluates JavaScript URIs
location.hostname	Location sink	Evaluates JavaScript URIs
location.replace()	Location sink	Evaluates JavaScript URIs	Location-changing functions
location.asssign()	Location sink	Evaluates JavaScript URIs	Location-changing functions
HTMLButtonElement.formAction	DOM XSS injection sink	function
HTMLEmbededElement.src	DOM XSS injection sink	function
HTMLFormElement.action	DOM XSS injection sink	function
HTMLFrameElement.src	DOM XSS injection sink	function
HTMLFrameElement.srcdoc	DOM XSS injection sink	function
HTMLImageElement.src	DOM XSS injection sink	function
HTMLInputElement.formAction	DOM XSS injection sink	function
HTMLInputElement.src	DOM XSS injection sink	function
HTMLMediaElement.src	DOM XSS injection sink	function
HTMLScriptElement.src	Property	DOM XSS injection sink	Location sink	DOM modification at runtime
HTMLScriptElement.text	Property	JavaScript sink	Location sink	DOM modification at runtime
HTMLScriptElement.InnerText	Property	JavaScript sink	function	DOM modification at runtime
HTMLScriptElement.textContent	Property	JavaScript sink	function	DOM modification at runtime
HTMLIFrameElement.src	Property	Location injection sink	function	DOM modification at runtime
HTMLIFrameElement.srcdoc	Property	HTML injection sink	function	DOM modification at runtime
HTMLSourceElement.src	DOM XSS injection sink	function
HTMLTrackElement.src	DOM XSS injection sink	function
jQuery(x)	JQuery sink	Global jQuery Function
jQuery $(x)	JQuery sink	Global jQuery Function
jQuery.parseHTML(x)	JQuery sink	Global jQuery Function
jQuery.globalEval(userContent)	JQuery sink	Direct execution sink
element.add(userContent)	JQuery sink	Element-specific function
element.append(userContent)	JQuery sink	Element-specific function
element.before(userContent)	JQuery sink	Element-specific function
element.after(userContent)	JQuery sink	Element-specific function
element.html(userContent)	JQuery sink	Element-specific function
element.prepend(userContent)	JQuery sink	Element-specific function
element.replaceWith(userContent)	JQuery sink	Element-specific function
element.wrapAll(userContent)	JQuery sink	Element-specific function
element.wrap(userContent)	JQuery sink	Element-specific function