-
Notifications
You must be signed in to change notification settings - Fork 20
Observing Taint Flows
Whenever a taint flow appears, Foxhound will (1) log a warning message to the console and (2) emit an event containing more detailed information about the taint flow.
The emitted event uses the name __taintreport.
Add an event listener to collect taint flows and/or get more detailed information about taint flows.
Example usage, feel free to adapt to your use-case.
window.addEventListener("__taintreport", (report) => {
console.log(report.detail);
console.log(report.detail.str.taint);
});Here is an example of the JSON.stringify(report.detail.str.taint) which is produced on visiting https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345. According to that page, the code executed is
let hash = location.hash;
if (hash.length > 1) {
let hashValueToUse = unescape(hash.substr(1));
let msg = "Welcome <b>" + hashValueToUse + "</b>!!";
document.getElementById("msgboard").innerHTML = msg;
}This code is vulnerable to XSS as an attacker can inject HTML into the hash of the URL, which will set to the msgboard element. This can be confirmed with the URL https://domgo.at/cxss/example/1?payload=abcd&sp=x#%3Cimg%20src=x%20onerror=alert(1)%3E.
The String entering the sink is Welcome <b>12345</b>!!, and we see that characters 11--16 (i.e. 12345) are tainted. The flow array lists the operations performed on the String, which match those listed in the code snippet.
[
{
"begin": 11,
"end": 16,
"flow": [
{
"operation": "function",
"builtin": false,
"source": false,
"location": {
"filename": "https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345",
"function": "",
"line": 204,
"pos": 18,
"scriptline": 198,
"scripthash": "d7069063759edbf2dcf45741802bc405"
},
"arguments": [
"ReportTaintSink",
"taint_reporting.js:1",
"0",
"3"
]
},
{
"operation": "innerHTML",
"builtin": true,
"source": false,
"location": {
"filename": "https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345",
"function": "",
"line": 204,
"pos": 18,
"scriptline": 198,
"scripthash": "d7069063759edbf2dcf45741802bc405"
},
"arguments": [
"//xhtml:div[@id='msgboard']"
]
},
{
"operation": "concat",
"builtin": true,
"source": false,
"location": {
"filename": "https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345",
"function": "",
"line": 203,
"pos": 35,
"scriptline": 198,
"scripthash": "d7069063759edbf2dcf45741802bc405"
},
"arguments": [
"Welcome <b>12345",
"</b>!!",
"tainted:L"
]
},
{
"operation": "concat",
"builtin": true,
"source": false,
"location": {
"filename": "https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345",
"function": "",
"line": 203,
"pos": 35,
"scriptline": 198,
"scripthash": "d7069063759edbf2dcf45741802bc405"
},
"arguments": [
"Welcome <b>",
"12345",
"tainted:R"
]
},
{
"operation": "unescape",
"builtin": true,
"source": false,
"location": {
"filename": "https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345",
"function": "",
"line": 202,
"pos": 38,
"scriptline": 198,
"scripthash": "d7069063759edbf2dcf45741802bc405"
},
"arguments": [
"12345"
]
},
{
"operation": "substr",
"builtin": true,
"source": false,
"location": {
"filename": "https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345",
"function": "",
"line": 202,
"pos": 44,
"scriptline": 198,
"scripthash": "d7069063759edbf2dcf45741802bc405"
},
"arguments": [
"1",
"undefined"
]
},
{
"operation": "location.hash",
"builtin": true,
"source": true,
"location": {
"filename": "https://domgo.at/cxss/example/1?payload=abcd&sp=x#12345",
"function": "",
"line": 200,
"pos": 16,
"scriptline": 198,
"scripthash": "d7069063759edbf2dcf45741802bc405"
},
"arguments": []
}
]
}
]