Flow Analysis

Flow Analysis scans captured proxy traffic for postMessage handlers and DOM sinks in JavaScript. It’s a static-analysis pass over response bodies that finds the building blocks of client-side vulnerabilities — addEventListener('message', ...) handlers without origin checks, sinks like innerHTML and eval reachable from controllable sources.

Where Taint Analysis confirms exploitability via runtime instrumentation, Flow Analysis surfaces candidates without browsing — useful for triaging large captures.

🔗What It Finds

🔗postMessage Handlers

Every window.addEventListener('message', fn) and onmessage = fn registration found in captured JavaScript. Per handler:

  • Source flow + URL where the handler was found
  • Origin validation present? (event.origin === ... check)
  • Origin validation strength (exact match / regex / wildcard / none)
  • Data sinks reached from the handler (innerHTML, eval, etc.)
  • Severity: Critical (no origin check + dangerous sink), High (weak origin check), Medium (validates but uses dangerous sink), Low (validated + safe usage)

🔗DOM Sinks

Dangerous JavaScript APIs reached by user-controllable sources:

  • innerHTML, outerHTML, insertAdjacentHTML
  • document.write, document.writeln
  • eval, Function constructor, setTimeout(string), setInterval(string)
  • script.src (dynamic script loading)
  • location.assign, location.replace, location.href (open redirect)
  • jQuery.html, $.html (jQuery sinks)

For each sink, the analyser tracks what could control it — location.hash, location.search, document.referrer, window.name, localStorage, postMessage data — depending on the source-tracking heuristics in analyze_dom_content.

🔗Workflow

  1. Capture traffic (proxy + crawler).

  2. Open Flow Analysis view.

  3. Click Run — analyses all captured JS responses in the active project.

  4. Browse findings:

    • postMessage tab — handlers grouped by origin-check quality
    • DOM Sinks tab — sinks grouped by sink type
    • All tab — combined list

  5. Click any finding to jump to the source line in the response viewer.

🔗Filters

  • Host
  • Sink type
  • Has source (filter to flows where the sink reaches a controllable source)
  • Severity
  • Confidence

🔗Following Up With Taint Analysis

Static analysis surfaces candidates. To confirm exploitability with runtime evidence, take a candidate URL and run Taint Analysis against it — runtime instrumentation will trace whether attacker-controlled values actually reach the flagged sink.

🔗MCP

The flow_analysis MCP tool exposes:

  • postmessage — list discovered postMessage handlers
  • dom_sinks — list discovered DOM sinks
  • all — combined results

Each result includes the source flow ID, sink type, suggested source, severity, and CWE classification.