(function () {
const suspiciousSources = [
'location',
'location.href',
'location.search',
'document.URL',
'document.documentURI',
'document.referrer'
];
const dangerousSinks = [
'document.write',
'document.writeln',
'innerHTML',
'outerHTML',
'eval',
'setTimeout',
'setInterval',
'Function'
];
function logPotentialXSS(type, detail) {
console.warn(`🚨 [DOM XSS DETECTED] Possible usage of ${type}:`, detail);
}
// Hook dangerous sink functions
const origWrite = document.write;
document.write = function (...args) {
logPotentialXSS('document.write', args);
return origWrite.apply(this, args);
};
const origEval = window.eval;
window.eval = function (str) {
logPotentialXSS('eval', str);
return origEval.call(this, str);
};
const origSetTimeout = window.setTimeout;
window.setTimeout = function (code, delay) {
if (typeof code === 'string') {
logPotentialXSS('setTimeout', code);
}
return origSetTimeout(code, delay);
};
const origSetInterval = window.setInterval;
window.setInterval = function (code, delay) {
if (typeof code === 'string') {
logPotentialXSS('setInterval', code);
}
return origSetInterval(code, delay);
};
// Hook dangerous property assignments
const hookElementProperty = (proto, prop) => {
const descriptor = Object.getOwnPropertyDescriptor(proto, prop);
if (descriptor && descriptor.set) {
Object.defineProperty(proto, prop, {
set(value) {
logPotentialXSS(prop, value);
descriptor.set.call(this, value);
},
get: descriptor.get,
configurable: true
});
}
};
hookElementProperty(Element.prototype, 'innerHTML');
hookElementProperty(Element.prototype, 'outerHTML');
// Log suspicious URL parameters
suspiciousSources.forEach(src => {
try {
const val = eval(src);
if (val && /<script|on\w+=|javascript:/i.test(val)) {
logPotentialXSS(`source: ${src}`, val);
}
} catch (e) {}
});
})();
Last active
April 16, 2025 06:38
-
-
Save 0x3n0/08f6e9b9b6a079a000737e0c5c710431 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment