Missing Sink: Element.setAttribute()

[leeN]

Upon reading the Probe the Proto paper I noticed how they claim that Element.setAttribute is the most common XSS sink they encountered. We currently do support said sink however.

Consider the following document:

<!DOCTYPE html>
<html>

  <head>
    <title>SetAttribute Test</title>
    <script>
      function load() {
        let handler =location.hash.substr(1);
        handler = decodeURIComponent(handler);
        let i = document.querySelector("#target");
        i.setAttribute("onload", handler);
        i.setAttribute("src", "https://raw.githubusercontent.com/SAP/project-foxhound/main/browser/branding/foxhound/default128.png");

      }
    </script>
  </head>

  <body onload="load()">

    <img id="target" src="x" />
  </body>
</html>

When opened in Foxhound as follows: setAttribute.html#alert(1) I would expect a taintflow from location.hash to Element.setAttribute but nothing is reported.

[tmbrbr]

I think that the generic setAttribute sink used to be supported but is extremely noisy (and only leads to XSS in certain cases).

For example, img.src should be implemented as a sink. It could be that setting this attribute via setAttribute doesn't trigger properly.

[leeN]

Hmm, yes, the img.src reporting part seems to be here. That was the first foxhound bug we talked about a few years ago I think heh :)

But you are right, reporting every setAttribute call might be too noisy, but not sure there is a "easy" list of attributes that are potentially dangerous per element.