-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the pyxssparser wiki!
PyNarcissus is a standard Javascript parser created by JT Olds in Python. Here it is customized to perform some XSS taint detection. The Original Narcissus parser was written in Javascript by Brendan Eich (Javascript creator). This fork maintains the same structure and approach used in Narcissus, except adding few methods and variables to track taint propagation for any Cross Site Scripting scenario. The basic approach is to add a flag to the Node class(which represents the parsed JS Function or JS Variable) and then update the flag as and when XSS source is assigned to a Variable or a Function return value.
The below cases will be covered by this parser/scanner:
A. XSS source assigned to a global variable or global property
(1)var x=document.URL; /*global variable declared*/
(2)y=document.cookie; /*undeclared variable inside script block is global*/
(3)function foo(){ z=document.URL; } /*undeclared local variable is global*/
(4)var g=new function(){ this.x = document.URL}; /* g.x is global */
(5)document.getElementById('foo').innerHTML=document.URL; /*innerHTML is a sink */
B. XSS source assigned to a function return value (exit point)
(6)function foo1(){
return document.URL; /* return value has XSS source*/
}
(7)function foo2(){
var x=document.cookie
return x; /* return value has tainted variable */
}
(8)var g = function foo(){
var x= document.URL;
return x;
}; /*anonymous tainted function (foo)*/
(9)var g = function(){
var x= document.URL;
return x
}; /*anonymous tainted function (unnamed)*/
(10)var g = (function(){
var x= document.URL;
return x
}); /*anonymous tainted function inside grouping operator*/
(11)var g = (function(){
return document.URL;
})(); /*anonymous & tainted immediately-invoked function expression*/
C. XSS source passed to a function (entry point)
(12)function foo(){
document.write(document.URL); /* XSS source at function call*/
}