From 57208abfd47e956d369be368b1ebde29a8ad69fe Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 31 Jul 2025 01:44:28 +0000 Subject: [PATCH 1/2] Add content from: Research Update: Enhanced src/pentesting-web/xss-cross-site-... --- .../xss-cross-site-scripting/dom-invader.md | 136 ++++++++++++------ 1 file changed, 89 insertions(+), 47 deletions(-) diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md index f9d87b5b0..e0c772c4e 100644 --- a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md +++ b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md @@ -4,80 +4,123 @@ ## DOM Invader -DOM Invader is a browser tool installed in Burp's inbuilt browser. It assists in **detecting DOM XSS vulnerabilities** using various sources and sinks, including web messages and prototype pollution. The tool is preinstalled as an extension. +DOM Invader is a browser tool installed in **Burp Suite's built-in Chromium browser**. It assists in **detecting DOM XSS and other client-side vulnerabilities** (prototype pollution, DOM clobbering, etc.) by automatically **instrumenting JavaScript sources and sinks**. The extension ships with Burp and only needs to be enabled. -DOM Invader integrates a tab within the browser's DevTools panel enabling the following: +DOM Invader adds a tab to the browser’s DevTools panel that lets you: -1. **Identification of controllable sinks** on a webpage for DOM XSS testing, providing context and sanitization details. -2. **Logging, editing, and resending web messages** sent via the `postMessage()` method for DOM XSS testing. DOM Invader can also auto-detect vulnerabilities using specially crafted web messages. -3. Detection of **client-side prototype pollution** sources and scanning of controllable gadgets sent to risky sinks. -4. Identification of **DOM clobbering vulnerabilities**. +1. **Identify controllable sinks** in real time, including context (attribute, HTML, URL, JS) and applied sanitization. +2. **Log, edit and resend `postMessage()` web-messages**, or let the extension mutate them automatically. +3. **Detect client-side prototype-pollution sources and scan for gadget→sink chains**, generating PoCs on-the-fly. +4. **Find DOM clobbering vectors** (e.g. `id` / `name` collisions that overwrite global variables). +5. **Fine-tune behaviour** via a rich Settings UI (custom canary, auto-injection, redirect blocking, source/sink lists, etc.). -### Enable It +--- -In the Burp's builtin browser go to the **Burp extension** and enable it: +### 1. Enable it -
+1. Open **Proxy ➜ Intercept ➜ Open Browser** (Burp’s embedded browser). +2. Click the **Burp Suite** logo (top-right). If it’s hidden, click the jigsaw-piece first. +3. In **DOM Invader** tab, toggle **Enable DOM Invader** ON and press **Reload**. +4. Open DevTools ( `F12` / Right-click ➜ Inspect ) and dock it. A new **DOM Invader** panel appears. -Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:** +> Burp remembers the state per profile. Disable it under *Settings ➜ Tools ➜ Burp’s browser ➜ Store settings...* if required. -
+### 2. Inject a Canary -### Inject a Canary +A **canary** is a random marker string (e.g. `xh9XKYlV`) that DOM Invader tracks. You can: -In the previous image you can see a **random group of chars, that is the Canary**. You should now start **injecting** it in different parts of the web (params, forms, url...) and each time click search it. DOM Invader will check if the **canary ended in any interesting sink** that could be exploited. +* **Copy** it and manually inject it in parameters, forms, Web-Socket frames, web-messages, etc. +* Use **Inject URL params / Inject forms** buttons to open a new tab where the canary is appended to every query key/value or form field automatically. +* Search for an **empty canary** to reveal all sinks regardless of exploitability (great for reconnaissance). -Moreover, the options **Inject URL params** and Inject forms will automatically open a **new tab** **injecting** the **canary** in every **URL** param and **form** it finds. +#### Custom canary (2025+) -### Inject an empty Canary +Burp 2024.12 introduced **Canary settings** (Burp-logo ➜ DOM Invader ➜ Canary). You can: -If you just want to find potential sinks the page might have, even if they aren't exploitable, you can **search for an empty canary**. +* **Randomize** or set a **custom string** (helpful for multi-tab testing or when the default value appears naturally on the page). +* **Copy** the value to clipboard. +* Changes require **Reload**. -### Post Messages +--- -DOM Invader allows testing for DOM XSS using web messages with features such as: +### 3. Web-messages (`postMessage`) -1. **Logging web messages** sent via `postMessage()`, akin to Burp Proxy's HTTP request/response history logging. -2. **Modification** and **reissue** of web messages to manually test for DOM XSS, similar to Burp Repeater's function. -3. **Automatic alteration** and sending of web messages for probing DOM XSS. +The **Messages** sub-tab records every `window.postMessage()` call, showing `origin`, `source`, and `data` usage. -#### Message details +• **Modify & resend**: double-click a message, edit `data`, and press **Send** (Burp Repeater-like). -Detailed information can be viewed about each message by clicking on it, which includes whether the client-side JavaScript accesses the `origin`, `data`, or `source` properties of the message. +• **Auto-fuzz**: enable **Postmessage interception ➜ Auto-mutate** in settings to let DOM Invader generate canary-based payloads and replay them to the handler. -- **`origin`** : If the **origin information of the message is not check**, you may be able to send cross-origin messages to the event handler **from an arbitrary external domain**. But if it's checked it still could be insecure. -- **`data`**: This is where the payload is sent. If this data is not used, the sink is useless. -- **`source`**: Evaluates if the source property, usually referencing an iframe, is validated instead of the origin. Even if this is checked, it doesn't assure the validation can't be bypassed. +Field meaning recap: -#### Reply a message +* **origin** – whether the handler validates `event.origin`. +* **data** – payload location. If unused, the sink is irrelevant. +* **source** – iframe / window reference validation; often weaker than strict‐origin checking. -1. From the **Messages** view, click on any message to open the message details dialog. -2. Edit the **Data** field as required. -3. Click **Send**. +--- -### Prototype Pollution +### 4. Prototype Pollution -DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it: +Enable under **Settings ➜ Attack types ➜ Prototype pollution**. -
+Workflow: -Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**. +1. **Browse** – DOM Invader flags pollution **sources** (`__proto__`, `constructor`, `prototype`) found in URL/query/hash or JSON web-messages. +2. **Test** – clicks *Test* to open a PoC tab where `Object.prototype.testproperty` should exist: -If anything is found a **Test** button will appear to **test the found source**. Click on it, a new tab will appear, create an object in the console and check if the `testproperty` exists: + ```javascript + let obj = {}; + console.log(obj.testproperty); // ➜ 'DOM_INVADER_PP_POC' + ``` +3. **Scan for gadgets** – DOM Invader bruteforces property names and tracks whether any end up in dangerous sinks (e.g. `innerHTML`). +4. **Exploit** – when a gadget-sink chain is found an *Exploit* button appears that chains source + gadget + sink to trigger alert. -```javascript -let b = {} -b.testproperty -``` +Advanced settings (cog icon): -Once you found a source you can **scan for a gadget**: +* **Remove CSP / X-Frame-Options** to keep iframes workable during gadget scanning. +* **Scan techniques in separate frames** to avoid `__proto__` vs `constructor` interference. +* **Disable techniques** individually for fragile apps. -1. A new tab is opened by DOM Invader when the **Scan for gadgets** button, which can be found next to any identified prototype pollution source in the **DOM** view, is clicked. The scanning for suitable gadgets then begins. -2. Meanwhile, in the same tab, the **DOM Invader** tab should be opened in the DevTools panel. After the scan completes, any sinks accessible via the identified gadgets are displayed in the **DOM** view. For instance, a gadget property named `html` being passed to the `innerHTML` sink is shown in the example below. +--- -## DOM clobbering +### 5. DOM Clobbering -In the previous image it's possible to see that DOM clobbering scan can be turned on. Once done, **DOM Invader will start searching for DOM clobbering vulnerabilities**. +Toggle **Attack types ➜ DOM clobbering**. DOM Invader monitors dynamically created elements whose `id`/`name` attributes collide with global variables or form objects (`` → clobbers `window.location`). An entry is produced whenever user-controlled markup leads to variable replacement. + +--- + +## 6. Settings Overview (2025) + +DOM Invader is now split into **Main / Attack Types / Misc / Canary** categories. + +1. **Main** + * **Enable DOM Invader** – global switch. + * **Postmessage interception** – turn on/off message logging; sub-toggles for auto-mutation. + * **Custom Sources/Sinks** – *cog icon* ➜ enable/disable specific sinks (e.g. `eval`, `setAttribute`) that may break the app. + +2. **Attack Types** + * **Prototype pollution** (with per-technique settings). + * **DOM clobbering**. + +3. **Misc** + * **Redirect prevention** – block client-side redirects so the sink list isn’t lost. + * **Breakpoint before redirect** – pause JS just before redirect for call-stack inspection. + * **Inject canary into all sources** – auto-inject canary everywhere; configurable source/parameter allow-list. + +4. **Canary** + * View / randomize / set custom canary; copy to clipboard. Changes require browser reload. + +--- + +### 7. Tips & Good Practices + +* **Use distinct canary** – avoid common strings like `test`, otherwise false-positives occur. +* **Disable heavy sinks** (`eval`, `innerHTML`) temporarily if they break page functionality during navigation. +* **Combine with Burp Repeater & Proxy** – replicate the browser request/response that produced a vulnerable state and craft final exploit URLs. +* **Remember frame scope** – sources/sinks are displayed per browsing context; vulnerabilities inside iframes might need manual focus. +* **Export evidence** – right-click the DOM Invader panel ➜ *Save screenshot* to include in reports. + +--- ## References @@ -87,8 +130,7 @@ In the previous image it's possible to see that DOM clobbering scan can be turne - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages) - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution) - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering) +- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/canary](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/canary) +- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/misc](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/misc) {{#include ../../banners/hacktricks-training.md}} - - - From 500e9aa476904f6b4de325eac980ba002d7941cd Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Mon, 4 Aug 2025 11:47:40 +0200 Subject: [PATCH 2/2] Update dom-invader.md --- src/pentesting-web/xss-cross-site-scripting/dom-invader.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md index e0c772c4e..117ccdccc 100644 --- a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md +++ b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md @@ -18,6 +18,8 @@ DOM Invader adds a tab to the browser’s DevTools panel that lets you: ### 1. Enable it +
+ 1. Open **Proxy ➜ Intercept ➜ Open Browser** (Burp’s embedded browser). 2. Click the **Burp Suite** logo (top-right). If it’s hidden, click the jigsaw-piece first. 3. In **DOM Invader** tab, toggle **Enable DOM Invader** ON and press **Reload**.