DOM Related Sources and Sinks

[tmbrbr]

There are quite a lot of updates in this one:

• Improving taint flows through element attributes
• Improving the HTML parser's taint propagation for attributes
• Additional element attribute source
• Source for elements which have been selected with various DOM queries
• Additional sinks (e.g. element.after) when inserting elements into the DOM which have tainted content

Example of DOM selector sources:

var element = document.getElementById("content_by_id");
var tainted = element.getAttribute("test");

check_tainted(tainted);
check_taint_source(tainted, "document.getElementById");

Example of DOM insertion sinks:

let container = document.createElement("div");
let p = document.createElement("p");
container.appendChild(p);
let template = document.createElement("template");
template.innerHTML = String.tainted("<div test='helllo'>Content Here</div>");

p.after(template);

check_tainted(container.outerHTML);
check_taint_source(container.outerHTML, "manual taint source");

More examples are in the test_dom.html file.

[leeN]

As I said during yesterday's call, the code looks good, and the tests look good as well!

I am currently running a test crawl, and it feels like there are more timeouts (which makes sense, as the number of flows explodes), but I have yet to encounter a Foxhound crash so far.

I suggest turning these off by default via the preferences and requiring the user to turn them on manually. Otherwise, if old settings are reused, stuff like XSS scanning will suffer (resource increase, timeouts, etc.).

To summarize: Looks good to me for merging :+1:

E.g., for msn.com:

67 https://msn.com/
Redirected to www.msn.com
Exported 378 findings for https://msn.com