Attacker-controlled Sources
Secret sources are either functions or object properties that can be controlled by the attacker.
Possible sources are variables, return values of particular function, data from a particular I/O stream.
| location |
URL-based |
DOM Property |
|
| location.href |
URL-based |
DOM Property |
URL Navigation Sink |
| location.pathname |
URL-based |
DOM Property |
|
| location.search |
URL-based |
DOM Property |
|
| location.hash |
URL-based |
DOM Property |
| document.URL |
URL-based |
DOM Property |
|
| document.documentURI |
URL-based |
DOM Property |
|
| document.baseURI |
URL-based |
DOM Property |
|
| document.URLUnencoded |
URL-based |
DOM Property |
|
| window.name |
Navigation-based |
DOM Property |
|
| document.referrer |
Navigation-based |
DOM Property |
|
| XMLHTTPRequest/Fetch |
Communication based |
2nd order DOM Injections |
Passing messages to other domains |
| WebSocket |
Communication based |
2nd order DOM Injections |
|
| Window Messaging |
Communication based |
2nd order DOM Injections |
Passing messages to other domains |
| Cookie |
Cookie source |
Store Type |
Persistent Client-Side XSS |
| LocalStorage |
Indirect source |
Storage Object |
Persistent Client-Side XSS |
| SessionStorage |
Indirect source |
Storage Object |
Persistent Client-Side XSS |
| IndexedDB |
Indirect source |
Storage Object |
Persistent Client-Side XSS |
| history.pushState() |
History-based |
DOM Property |
|
| history.replaceState() |
History-based |
DOM Property |
|