{"id":19544883,"url":"https://github.com/ariary/domxssfinder","last_synced_at":"2025-04-26T19:31:48.050Z","repository":{"id":109492865,"uuid":"448020161","full_name":"ariary/DomXssFinder","owner":"ariary","description":" Find sources and sinks in js code that could lead to DOM XSS 🔎💧🚰","archived":false,"fork":false,"pushed_at":"2024-02-27T13:04:45.000Z","size":22,"stargazers_count":22,"open_issues_count":1,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-04T17:11:42.192Z","etag":null,"topics":["bug-bounty","dom-xss","pentest","pentest-tool","scanner","security","web-application-security","web-application-security-scanner","xss"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-01-14T15:44:43.000Z","updated_at":"2025-02-28T21:50:16.000Z","dependencies_parsed_at":"2023-07-14T22:15:23.474Z","dependency_job_id":null,"html_url":"https://github.com/ariary/DomXssFinder","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FDomXssFinder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FDomXssFinder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FDomXssFinder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2FDomXssFinder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/DomXssFinder/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251041427,"owners_count":21527193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-bounty","dom-xss","pentest","pentest-tool","scanner","security","web-application-security","web-application-security-scanner","xss"],"created_at":"2024-11-11T03:32:54.873Z","updated_at":"2025-04-26T19:31:47.803Z","avatar_url":"https://github.com/ariary.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DomXssFinder\n\n**Find sources and sinks in js code that could lead to DOM XSS**\n\n\u003e **💧 Source** := JavaScript property that accepts user controlled data (eg `location.search`)\n\n\u003e **🚰 Sink** := Potential dangerous JavaScript function or DOM object that can cause indesirable effect if attacker controlled data is pass to it (eg `eval`)\n\n## How ?\n\n***\u003e Find sources in js code:***\n\n```shell\ncat [js_file] | fsource\n```\n\n***\u003e Find sinks in js code:***\n\n```shell\ncat [js_file] | fsink\n```\n\n***💡 Tip:***\nTo retrieve all js code from an url **~\u003e** [`jse`](https://github.com/ariary/JSextractor):\n```shell\nexport URL=[url]\ncurl -s $URL -H \"Accept: text/html\" | jse -u $URL -gather-src 2\u003e/dev/null\n```\n\nFind all related shortcuts: [`bang 💥`](https://github.com/ariary/bang/blob/main/EXAMPLES.md#find-dom-xss)\n\n***💡 Tip 2:***\nUse `-C [NUM]` parameter to get more context when source/sink has been found (Print `[NUM]` lines of output context)\n## Get ready !\n```shell\ncurl -s -lO -L https://github.com/ariary/DomXssFinder/releases/latest/download/fsink \ncurl -s -lO -L https://github.com/ariary/DomXssFinder/releases/latest/download/fsource\nchmod +x fsink fsource\nmv fsink [path in $PATH] \u0026\u0026 mv fsource [path in $PATH]\n```\n\n## Notes\n\nSee how to exploit:\n * [hacktricks.xyz](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-xss)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fdomxssfinder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Fdomxssfinder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Fdomxssfinder/lists"}