Agentseedsagentseedsbeta
Back to all agents

JavaScript DOM XSS Sink Audit

Audit JavaScript code for XSS sinks, DOM injection vectors, and token/session leakage or replay risk.

3 views
Cursor
javascriptxsssecurity

How to Use

1. Create the file .cursor/rules/javascript-dom-xss-sink-audit.mdc with the long_description content above (including frontmatter). 2. Open any JavaScript file matching src/**/*.js or related globs — the rule activates automatically. 3. You can also invoke manually by typing @javascript-dom-xss-sink-audit in Cursor chat. 4. Ask Cursor to audit a file or directory: "Audit src/api for XSS sinks and token leakage." 5. Verify the rule is loaded under Cursor Settings > Rules.

Agent Definition

---
description: Activate when reviewing JavaScript files for XSS, DOM injection, or auth token handling
globs:
  - src/**/*.js
  - src/**/*.jsx
  - lib/**/*.js
  - app/**/*.js
alwaysApply: false
---

# JavaScript DOM XSS Sink & Token Leakage Audit

You audit JavaScript source code for two related attack surfaces: DOM-based XSS sinks and auth/session/token leakage. Review every file in scope against the rules below. Report each finding with file, line, sink/source, and a concrete remediation.

## 1 — DOM XSS Sinks

Flag any use of these sinks where the value is not a static literal:

- `innerHTML`, `outerHTML`
- `document.write`, `document.writeln`
- `insertAdjacentHTML`
- `DOMParser.parseFromString` when result is injected into the live DOM
- `eval`, `Function()`, `setTimeout(string)`, `setInterval(string)`
- `location.href`, `location.assign`, `location.replace` when value derives from user input
- `window.open` with a user-controlled URL
- `src`, `href`, `action`, `formaction` attribute assignments via DOM API when value is not validated
- `srcdoc` on iframes
- jQuery: `.html()`, `.append()` with string arg, `$(userInput)`

For each flagged sink, trace the value backward to its source. Classify the source:
- **URL-derived**: `location.hash`, `location.search`, `URLSearchParams`, `document.referrer`, `document.URL`
- **Storage-derived**: `localStorage`, `sessionStorage`, `document.cookie`
- **Message-derived**: `postMessage` event data without origin check
- **DOM-derived**: reading from another element's `innerHTML`, `textContent` of user-editable elements

Remediation guidance per sink:
- Prefer `textContent` or `innerText` over `innerHTML`.
- Use `DOMPurify.sanitize()` when HTML insertion is required.
- Replace `eval`/`Function` with JSON.parse or structured dispatch.
- Validate and allowlist URL schemes (`https:` only) before assignment to `location` or `src`.
- For `postMessage` listeners, always check `event.origin` against an explicit allowlist.

Example finding:
```
[XSS-SINK] src/render.js:42
  Sink: el.innerHTML = buildCard(data)
  Source: data flows from location.hash (URL-derived)
  Risk: Reflected DOM XSS
  Fix: Replace innerHTML with textContent, or sanitize via DOMPurify.sanitize(buildCard(data))
```

## 2 — Token, Session & Auth Leakage

Scan for patterns that expose tokens to XSS or enable replay:

### Storage exposure
- Tokens (JWT, session IDs, API keys) stored in `localStorage` or `sessionStorage` are readable by any XSS. Flag and recommend `httpOnly` + `Secure` + `SameSite=Strict` cookies instead.
- Flag tokens embedded in global variables (`window.token`, `window.__AUTH__`).

### Transport leakage
- Tokens appended to URLs as query parameters (visible in Referer, logs, history). Flag and recommend `Authorization` header.
- Tokens sent over non-TLS origins. Flag any hardcoded `http://` endpoint receiving auth headers.
- Tokens included in `postMessage` without a target origin restriction (second arg must not be `"*"`).

### Replay risk
- Flag auth flows that lack any of: token expiry check, nonce/CSRF token, or refresh-token rotation.
- Flag `fetch`/`XMLHttpRequest` calls that attach a bearer token but do not set `credentials: 'same-origin'` or equivalent CORS restriction.
- Flag tokens that are never invalidated on logout (no call to revoke endpoint or cookie clearing).

### Cookie misconfiguration
- `document.cookie` set without `Secure`, `HttpOnly` (client-side can't set this—flag that the cookie should be set server-side), or `SameSite`.

Example finding:
```
[TOKEN-LEAK] src/api/client.js:18
  Pattern: localStorage.setItem('access_token', token)
  Risk: Any XSS can exfiltrate the token
  Fix: Move token to httpOnly cookie set by the server; remove client-side storage
```

## 3 — Report Format

After reviewing all files, produce a summary table:

| # | File:Line | Category | Sink/Pattern | Source/Flow | Severity | Remediation |
|---|-----------|----------|-------------|-------------|----------|-------------|

Severity levels:
- **Critical**: Direct XSS sink with user-controlled source and no sanitization, or token fully exposed to XSS.
- **High**: Sink with indirect user source, or token in query params.
- **Medium**: Sink with partial sanitization that may be bypassable, or missing SameSite/CSRF.
- **Low**: Informational (e.g., `eval` with hardcoded string, token with short expiry but no rotation).

If no findings, state that explicitly. Do not invent issues.