A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla/gecko-dev). It can be used to identify insecure data flows or data privacy leaks in client-side web applications.
GNU General Public License v3.0
80
stars
15
forks
source link
Foxhound: Adding JSON path string to JSON parse operations #200
tmbrbr
commented
9 months ago
Adding JSON path String to the TaintFlow arguments for the
JSON.parseoperation.A description of the spec can be found here: https://www.ietf.org/archive/id/draft-goessner-dispatch-jsonpath-00.html
Luckily, the JSONParser in Firefox keeps a stack of visited elements in the tree, which can be iterated to read the property names or the array index.
The JSONParser relies heavily on C++ templates, which made the implementation a bit fiddly, but it seems to work!