Security/Features/JS Tainting
Jump to navigation
Jump to search
The current version of DOMinator adds 3 new methods to a .js String object.
.newTainted takes two parameters - the string value and a string description of where the string originated from. The second parameter is used in conjunction with the UI to provide information about which part of the layout provided the tainted string.
.tainted - returns a boolean value indicating whether the string is tainted or not.
.untaint - untaints a previously tainted string i.e. marks it as safe.
Here is a list of the currently supported operations on javascript strings.
| .js method | comments on support |
| charAt | if the original string is tainted, then the resulting character will be tainted too. |
| concat(+) | The tool also keeps meta data that describes what kind of concat operation caused the taint - whether concat on the left or the right side of the original string. if any of strings members of the concat operation are tainted, then the resulting string will be tainted too. We also keep metadata that describes the ranges of characters of the resulting string is tainted by which of the original strings. |
| decodeURIComponent | |
| decodeURI | |
| encodeURIComponent | |
| encodeURI | |
| escape | |
| quote | |
| string array indexing(str[index]) | |
| slice | |
| split | |
| match | match and replace potentially have edge cases where the taint flag is not propagated. We have to analyze the code and establish definitively what, if any those conditions are. |
| replace | |
| substr | |
| substring | |
| toLower | |
| toUpper | |
| trim |