DomXssFinder
Find sources and sinks in js code that could lead to DOM XSS 🔎💧🚰
Install / Use
/learn @ariary/DomXssFinderREADME
DomXssFinder
Find sources and sinks in js code that could lead to DOM XSS
💧 Source := JavaScript property that accepts user controlled data (eg
location.search)
🚰 Sink := Potential dangerous JavaScript function or DOM object that can cause indesirable effect if attacker controlled data is pass to it (eg
eval)
How ?
> Find sources in js code:
cat [js_file] | fsource
> Find sinks in js code:
cat [js_file] | fsink
💡 Tip:
To retrieve all js code from an url ~> jse:
export URL=[url]
curl -s $URL -H "Accept: text/html" | jse -u $URL -gather-src 2>/dev/null
Find all related shortcuts: bang 💥
💡 Tip 2:
Use -C [NUM] parameter to get more context when source/sink has been found (Print [NUM] lines of output context)
Get ready !
curl -s -lO -L https://github.com/ariary/DomXssFinder/releases/latest/download/fsink
curl -s -lO -L https://github.com/ariary/DomXssFinder/releases/latest/download/fsource
chmod +x fsink fsource
mv fsink [path in $PATH] && mv fsource [path in $PATH]
Notes
See how to exploit:
Related Skills
healthcheck
343.1kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
343.1kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
343.1kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
90.0kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
