Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/customcommander/xss-lang

An experimental grammar for parsing XSS attacks
https://github.com/customcommander/xss-lang

grammar javascript nearley parser security xss

Last synced: 19 days ago
JSON representation

An experimental grammar for parsing XSS attacks

Host: GitHub
URL: https://github.com/customcommander/xss-lang
Owner: customcommander
License: mit
Created: 2020-07-17T16:08:27.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-07-12T06:36:07.000Z (over 1 year ago)
Last Synced: 2023-08-04T13:46:37.998Z (over 1 year ago)
Topics: grammar, javascript, nearley, parser, security, xss
Language: JavaScript
Homepage:
Size: 86.9 KB
Stars: 3
Watchers: 2
Forks: 0
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        ⚠️ _This package is not for production use yet._

# xss-lang

An experimental grammar for parsing XSS attacks.

## TL; DR

This package provides a single function for **detecting** (not mitigating) XSS threats in your JavaScript strings:

```javascript

const scan = require('@customcommander/xss-lang');

scan("javascript:alert('XSS!')");

/*

{ threat: "js_url"

, raw: "javascript:alert('XSS!')"

, found: "javascript:alert('XSS!')"

}

*/

```

## Why?

Your web application _will_ be attacked. Period.

With this parser I wanted to understand the different threats a web application can be exposed to. Knowing what's coming in and out of your application can help you detect and react to potential attacks.

### Example

Say we need to create a function that adds links to a page:

```javascript

function add_link(link) {

  const p = document.createElement('p');

  p.innerHTML = `CLICK ME`;

  document.body.appendChild(p);

}

```

To add a link to a page we simply need to call the function as such:

```javascript

add_link("https://example.com");

```

However the attentive reader will notice that this function is vulnerable to XSS attacks:

```javascript

add_link("javascript:alert('XSS!')");

```

When the user clicks on that link, an alert box will be displayed. This example is harmless but it demonstrates that code can be executed with full user privileges. If that code comes from an untrusted source there is a high probability that it will cause some damage.

Here's a naive approach to mitigate this threat:

```javascript

function add_link(link) {

  if (link.startsWith('javascript:')){

    return;

  }

  const p = document.createElement('p');

  p.innerHTML = `CLICK ME`;

  document.body.appendChild(p);

}

```

However this will defeat the check yet still allow code to be executed:

```javascript

add_link("jaVAscRIpt:alert('XSS!')");

```

And so will this:

```javascript

add_link("jaVA	scRIpt:alert('XSS!')");

```

There's plenty more variations of this than you can handle...