SourceSinks

Attacker-controlled Sources

Secret sources are either functions or object properties that can be controlled by the attacker.
Possible sources are variables, return values of particular function, data from a particular I/O stream.

location	URL-based	DOM Property
location.href	URL-based	DOM Property	URL Navigation Sink
location.pathname	URL-based	DOM Property
location.search	URL-based	DOM Property
location.hash	URL-based	DOM Property
document.URL	URL-based	DOM Property
document.documentURI	URL-based	DOM Property
document.baseURI	URL-based	DOM Property
document.URLUnencoded	URL-based	DOM Property
window.name	Navigation-based	DOM Property
document.referrer	Navigation-based	DOM Property
XMLHTTPRequest/Fetch	Communication based	2nd order DOM Injections	Passing messages to other domains
WebSocket	Communication based	2nd order DOM Injections
Window Messaging	Communication based	2nd order DOM Injections	Passing messages to other domains
Cookie	Cookie source	Store Type	Persistent Client-Side XSS
LocalStorage	Indirect source	Storage Object	Persistent Client-Side XSS
SessionStorage	Indirect source	Storage Object	Persistent Client-Side XSS
IndexedDB	Indirect source	Storage Object	Persistent Client-Side XSS
history.pushState()	History-based	DOM Property
history.replaceState()	History-based	DOM Property

Injection sinks

Untrusted sinks are functions or object where data can be executed.
Possible sinks: variables, parameters given to a particular function, instructions of particular type (e.g., jump instructions)

eval()	Global API	Direct execution sink	Javascript context	Direct code conversion
function()	Global API	Direct execution sink	Javascript context	Direct code conversion
setTimeout()	Global API	Direct execution sink	Javascript context	Direct code conversion
setInterval()	Global API	Direct execution sink	Javascript context	Direct code conversion
setImmediate()	Global API	Direct execution sink	Javascript context	Direct code conversion
execScript	Global API	Direct execution sink	Javascript context	Direct code conversion
crypto.generateCRMFRequest	Direct execution sink	Javascript context
ScriptElement.src	Direct execution sink	Javascript context	Modifying script source attributes
ScriptElement.text	Direct execution sink	Javascript context	Modifying script source attributes
ScriptElement.textContent	Direct execution sink	Javascript context	Modifying script source attributes
ScriptElement.innerText	Direct execution sink	Javascript context	Modifying script source attributes
<script></script>	Direct execution sink	Javascript context
<anyTag.onEventName='payload'>	Property	Direct execution sink	Javascript context	DOM modification at runtime
document.write()	Global API	HTML injection sink	HTML context	DOM modification at rendering
document.writeln()	Global API	HTML injection sink	HTML context	DOM modification at rendering
Element.innerHTML	Property	HTML injection sink	HTML context	DOM modification at runtime
Element.outerHTML	Property	HTML injection sink	HTML context	DOM modification at runtime
Element.setAttribute()	Global API	HTML injection sink	HTML context	DOM modification at runtime
Element.insertAdjacentHTML()	Global API	HTML injection sink	HTML context	DOM modification at runtime
Range.createContextualFragment	Local API	HTML injection sink	HTML context	DOM modification at runtime
HTMLButton.value	HTML injection sink	HTML context
parseFromString()		HTML injection sink	HTML context
location	Location sink	Evaluates JavaScript URIs
location	Location sink	Evaluates JavaScript URIs
location.href	Location sink	Evaluates JavaScript URIs
location.protocol	Location sink	Evaluates JavaScript URIs
location.hostname	Location sink	Evaluates JavaScript URIs
location.replace()	Location sink	Evaluates JavaScript URIs	Location-changing functions
location.asssign()	Location sink	Evaluates JavaScript URIs	Location-changing functions
HTMLButtonElement.formAction	DOM XSS injection sink	function
HTMLEmbededElement.src	DOM XSS injection sink	function
HTMLFormElement.action	DOM XSS injection sink	function
HTMLFrameElement.src	DOM XSS injection sink	function
HTMLFrameElement.srcdoc	DOM XSS injection sink	function
HTMLImageElement.src	DOM XSS injection sink	function
HTMLInputElement.formAction	DOM XSS injection sink	function
HTMLInputElement.src	DOM XSS injection sink	function
HTMLMediaElement.src	DOM XSS injection sink	function
HTMLScriptElement.src	Property	DOM XSS injection sink	Location sink	DOM modification at runtime
HTMLScriptElement.text	Property	JavaScript sink	Location sink	DOM modification at runtime
HTMLScriptElement.InnerText	Property	JavaScript sink	function	DOM modification at runtime
HTMLScriptElement.textContent	Property	JavaScript sink	function	DOM modification at runtime
HTMLIFrameElement.src	Property	Location injection sink	function	DOM modification at runtime
HTMLIFrameElement.srcdoc	Property	HTML injection sink	function	DOM modification at runtime
HTMLSourceElement.src	DOM XSS injection sink	function
HTMLTrackElement.src	DOM XSS injection sink	function
jQuery(x)	JQuery sink	Global jQuery Function
jQuery $(x)	JQuery sink	Global jQuery Function
jQuery.parseHTML(x)	JQuery sink	Global jQuery Function
jQuery.globalEval(userContent)	JQuery sink	Direct execution sink
element.add(userContent)	JQuery sink	Element-specific function
element.append(userContent)	JQuery sink	Element-specific function
element.before(userContent)	JQuery sink	Element-specific function
element.after(userContent)	JQuery sink	Element-specific function
element.html(userContent)	JQuery sink	Element-specific function
element.prepend(userContent)	JQuery sink	Element-specific function
element.replaceWith(userContent)	JQuery sink	Element-specific function
element.wrapAll(userContent)	JQuery sink	Element-specific function
element.wrap(userContent)	JQuery sink	Element-specific function