L.S.
Linting for javascript errors and flaws, e.g.
javascript-validation. Combine with results from vulners webs scanner extension, Zen Mate Web Firewall extension &
Javascript Error Notifier extension and shodan extension for eventual website server info.
Using an online Javascript Validator:
http://beautifytools.com/javascript-validator.phpTested: -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Number of sources found: 3
Number of sinks found: 0
Linting produced:
Line Col Errors
5 1 Missing semicolon.
0 0 Use the function form of "use strict".
26 94 Missing semicolon.
31 146 Use '===' to compare with 'false'.
Scanned for retirable jQuery library: -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
Detected libraries:
jquery-migrate - 1.4.1 : -https://refugiodocapitao.com.br/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1
No vulnerable libraries found
Line Col Errors
222 58 Unnecessary semicolon.
258 18 'options' is defined but never used.
298 22 'e' is defined but never used.
308 28 'e' is defined but never used.
360 35 'options' is defined but never used.
399 1 'new_max' is defined but never used.
424 53 'options' is defined but never used.
475 1 'whCustom' is defined but never used.
530 22 'index' is defined but never used.
460 1 'html_el' is defined but never used.
464 1 'full_slider' is defined but never used.
651 8 Use '===' to compare with '0'.
695 27 'direction' is defined but never used.
751 58 Expected an assignment or function call and instead saw an expression.
760 9 ['jswing'] is better written in dot notation.
760 30 ['swing'] is better written in dot notation.
794 62 A leading decimal point can be confused with a dot: '.3'.
801 62 A leading decimal point can be confused with a dot: '.3'.
808 65 A leading decimal point can be confused with a dot: '.3'.
811 22 A leading decimal point can be confused with a dot: '.5'.
812 71 A leading decimal point can be confused with a dot: '.5'.
834 41 A leading decimal point can be confused with a dot: '.75'.
836 44 A leading decimal point can be confused with a dot: '.9375'.
838 47 A leading decimal point can be confused with a dot: '.984375'.
842 70 A leading decimal point can be confused with a dot: '.5'.
843 60 A leading decimal point can be confused with a dot: '.5'.
843 67 A leading decimal point can be confused with a dot: '.5'.
781 49 Use '===' to compare with '0'.
784 6 Use '===' to compare with '0'.
794 6 Use '===' to compare with '0'.
795 33 's' is already defined.
796 10 's' is already defined.
801 6 Use '===' to compare with '0'.
802 33 's' is already defined.
803 10 's' is already defined.
808 6 Use '===' to compare with '0'.
809 33 's' is already defined.
810 10 's' is already defined.
815 7 Use '===' to compare with 'undefined'.
819 7 Use '===' to compare with 'undefined'.
823 7 Use '===' to compare with 'undefined'.
906 50 'delay' is defined but never used.
1173 17 Use '===' to compare with 'true'.
1289 5 'win' is defined but never used.
1186 22 'avia_is_mobile' is not defined.
Then we gonna compare to detected sinks and sources via a DOM XSS scan:
But here we found sources and sinks in retirable code:
https://retire.insecurity.today/#!/scan/618f3f67a7d9c4e74e7f1378ebe74d92b11d17db042b56d657463ceec95256d0Detected sources and sinks: .parent, .top, .location, & location.href. =
Re:
https://domstorm.skepticfx.com/ ->
https://domstorm.skepticfx.com/modules?id=56b4dfde108b7c00007363acPentest tool like:
https://github.com/lwzSoviet/NoXssjQuery versions with known weaknesses
Bug 9521 - $("#<img src=x onerror=...>")
Bug 11290 - $("element[attribute='<img src=x onerror=...>'")
jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript
jQuery issue 11974 - parseHTML executes inline scripts like event handlers
enjoy, my good friends, enjoy.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)