DOM-based Cross Site Scripting
Use burp scanner
or manually look for
Source:
https://code.google.com/p/domxsswiki/wiki/ExecutionSinks
or manually look for
Browser JavaScript execution sinks
The following JavaScript functions parse strings as JavaScript. If it is possible to control, even partially, the vulnerable argument, then it is possible to execute JavaScript.
| Function Name | Argument | Browser | Example |
| eval | first | All | eval("jsCode"+usercontrolledVal ) |
| Function | first if there's one, the last if >1 args | All | Function("jsCode"+usercontrolledVal ) , Function("arg","arg2","jsCode"+usercontrolledVal ) |
| setTimeout | first IIF it is a string | All | setTimeout("jsCode"+usercontrolledVal ,timeMs) |
| setInterval | first IIF it is a string | All | setInterval("jsCode"+usercontrolledVal ,timMs) |
| setImmediate | first IIF it is a string | IE 10+ | setImmediate("jsCode"+usercontrolledVal ) |
| execScript | first | IE 6+ | execScript("jsCode"+usercontrolledVal ,"JScript") |
| crypto.generateCRMFRequest | 5th | Firefox 2+ | crypto.generateCRMFRequest('CN=0',0,0,null,'jsCode'+usercontrolledVal,384,null,'rsa-dual-use') |
| ScriptElement.src | assignedValue | All | script.src = usercontrolledVal |
| ScriptElement.text | assignedValue | Explorer | script.text = 'jsCode'+usercontrolledVal |
| ScriptElement.textContent | assignedValue | All but IE<9 | script.textContent = 'jsCode'+usercontrolledVal |
| ScriptElement.innerText | assignedValue | All but Firefox | script.innerText = 'jsCode'+usercontrolledVal |
| anyTag.onEventName | assignedValue | All | anyTag.onclick = 'jsCode'+usercontrolledVal |
(TBF)
Source:
https://code.google.com/p/domxsswiki/wiki/ExecutionSinks