Javascript: gadgets

[msrkp]

Recently, there is a discussion on twitter about finding javascript gadgets automatically.

https://twitter.com/freddyb/status/1274967753833709573?s=20

So I write a codeql js query to detect a gadget which turns user interaction xss to no user interaction xss.

https://lgtm.com/query/7906523580242320181/

There are many examples like this, here is a research presented by people @google

https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf

If anybody interested you can improve the above codeql query.

cc @nicowaisman @intrigus-lgtm

[esbena]

Sorry for the late reply.

Additional context: the js/xss-through-dom query finds the other half of this exploit: the places where the developer incorrectly trusts the existing DOM content to be safe.

I think your query could be worth having. It would be very cool if it could be used in conjunction with js/xss-through-dom to find actual exploits rather than just the two gadget halves. Do you have an idea of the practical false positive rate of your gadget finder? Is this something developers would want to fix, or is it mainly just interesting for pentesters?