#Tag · Kakapo Social

#Tag

Log in

chaos.social boosted

@webklex@chaos.social · 2 days ago

I've been a bit productive this weekend and created a simple sink & source scanner for #js #ts etc. https://www.npmjs.com/package/@webklex/sinker

Console output:
Scanning example for 106 sinks (context-depth: 3)...
Successfully scanned 3 files
Found 4 violations
Violation found in /mnt/nvme/projects/sinker/example/src/index.ts:12
Sink: document.URL
Category: Common Source
Description: A source that can be controlled by an attacker and can lead to XSS if not properly sanitized.
Link: https://portswigger.net/web-security/dom-based
Line 9: // We decode the URL because browsers often auto-encode characters in document.URL,
Line 10: // which might prevent the XSS from triggering in some modern browsers.
Line 11: // Decoding it simulates a scenario where the application processes the raw input.
Add // @safe-sink: a short explanation why its safe here to suppress this finding.
Line 12: (>>) const url = decodeURIComponent(document.URL);
Line 13: const contentDiv = document.getElementById('content');
Line 14:
Line 15: if (contentDiv) { — Console output: Scanning example for 106 sinks (context-depth: 3)... Successfully scanned 3 files Found 4 violations Violation found in /mnt/nvme/projects/sinker/example/src/index.ts:12 Sink: document.URL Category: Common Source Description: A source that can be controlled by an attacker and can lead to XSS if not properly sanitized. Link: https://portswigger.net/web-security/dom-based Line 9: // We decode the URL because browsers often auto-encode characters in document.URL, Line 10: // which might prevent the XSS from triggering in some modern browsers. Line 11: // Decoding it simulates a scenario where the application processes the raw input. Add // @safe-sink: a short explanation why its safe here to suppress this finding. Line 12: (>>) const url = decodeURIComponent(document.URL); Line 13: const contentDiv = document.getElementById('content'); Line 14: Line 15: if (contentDiv) {

@webklex@chaos.social · 2 days ago

I've been a bit productive this weekend and created a simple sink & source scanner for #js #ts etc. https://www.npmjs.com/package/@webklex/sinker

Console output:
Scanning example for 106 sinks (context-depth: 3)...
Successfully scanned 3 files
Found 4 violations
Violation found in /mnt/nvme/projects/sinker/example/src/index.ts:12
Sink: document.URL
Category: Common Source
Description: A source that can be controlled by an attacker and can lead to XSS if not properly sanitized.
Link: https://portswigger.net/web-security/dom-based
Line 9: // We decode the URL because browsers often auto-encode characters in document.URL,
Line 10: // which might prevent the XSS from triggering in some modern browsers.
Line 11: // Decoding it simulates a scenario where the application processes the raw input.
Add // @safe-sink: a short explanation why its safe here to suppress this finding.
Line 12: (>>) const url = decodeURIComponent(document.URL);
Line 13: const contentDiv = document.getElementById('content');
Line 14:
Line 15: if (contentDiv) { — Console output: Scanning example for 106 sinks (context-depth: 3)... Successfully scanned 3 files Found 4 violations Violation found in /mnt/nvme/projects/sinker/example/src/index.ts:12 Sink: document.URL Category: Common Source Description: A source that can be controlled by an attacker and can lead to XSS if not properly sanitized. Link: https://portswigger.net/web-security/dom-based Line 9: // We decode the URL because browsers often auto-encode characters in document.URL, Line 10: // which might prevent the XSS from triggering in some modern browsers. Line 11: // Decoding it simulates a scenario where the application processes the raw input. Add // @safe-sink: a short explanation why its safe here to suppress this finding. Line 12: (>>) const url = decodeURIComponent(document.URL); Line 13: const contentDiv = document.getElementById('content'); Line 14: Line 15: if (contentDiv) {

𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕 and 1 other boosted

𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕

@kubikpixel@chaos.social · 2 days ago

npmx

A fast, modern browser for the npm registry.

./ https://npmx.dev

#javascript #npm #browser #js #ts #web #webdev #typescript #dev #internet #git #development #libary #registry #npmx

𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕

@kubikpixel@chaos.social · 2 days ago

npmx

A fast, modern browser for the npm registry.

./ https://npmx.dev

#javascript #npm #browser #js #ts #web #webdev #typescript #dev #internet #git #development #libary #registry #npmx

Kakapo Social

Kakapo Social: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.2-alpha.20 no JS en

Automatic federation enabled

Log in