maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/xss-cross-site-scripting/dom-invader.md
SirBroccoli 500e9aa476 Update dom-invader.md
2025-08-04 11:47:40 +02:00

139 lines
7.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# DOM Invader
{{#include ../../banners/hacktricks-training.md}}
## DOM Invader
DOM Invader is a browser tool installed in **Burp Suite's built-in Chromium browser**. It assists in **detecting DOM XSS and other client-side vulnerabilities** (prototype pollution, DOM clobbering, etc.) by automatically **instrumenting JavaScript sources and sinks**. The extension ships with Burp and only needs to be enabled.
DOM Invader adds a tab to the browsers DevTools panel that lets you:
1. **Identify controllable sinks** in real time, including context (attribute, HTML, URL, JS) and applied sanitization.
2. **Log, edit and resend `postMessage()` web-messages**, or let the extension mutate them automatically.
3. **Detect client-side prototype-pollution sources and scan for gadget→sink chains**, generating PoCs on-the-fly.
4. **Find DOM clobbering vectors** (e.g. `id` / `name` collisions that overwrite global variables).
5. **Fine-tune behaviour** via a rich Settings UI (custom canary, auto-injection, redirect blocking, source/sink lists, etc.).
---
### 1. Enable it
<figure><img src="../../images/image (1129).png" alt=""><figcaption></figcaption></figure>
1. Open **Proxy ➜ Intercept ➜ Open Browser** (Burps embedded browser).
2. Click the **Burp Suite** logo (top-right). If its hidden, click the jigsaw-piece first.
3. In **DOM Invader** tab, toggle **Enable DOM Invader** ON and press **Reload**.
4. Open DevTools ( `F12` / Right-click ➜ Inspect ) and dock it. A new **DOM Invader** panel appears.
> Burp remembers the state per profile. Disable it under *Settings ➜ Tools ➜ Burps browser ➜ Store settings...* if required.
### 2. Inject a Canary
A **canary** is a random marker string (e.g. `xh9XKYlV`) that DOM Invader tracks. You can:
* **Copy** it and manually inject it in parameters, forms, Web-Socket frames, web-messages, etc.
* Use **Inject URL params / Inject forms** buttons to open a new tab where the canary is appended to every query key/value or form field automatically.
* Search for an **empty canary** to reveal all sinks regardless of exploitability (great for reconnaissance).
#### Custom canary (2025+)
Burp 2024.12 introduced **Canary settings** (Burp-logo ➜ DOM Invader ➜ Canary). You can:
* **Randomize** or set a **custom string** (helpful for multi-tab testing or when the default value appears naturally on the page).
* **Copy** the value to clipboard.
* Changes require **Reload**.
---
### 3. Web-messages (`postMessage`)
The **Messages** sub-tab records every `window.postMessage()` call, showing `origin`, `source`, and `data` usage.
**Modify & resend**: double-click a message, edit `data`, and press **Send** (Burp Repeater-like).
**Auto-fuzz**: enable **Postmessage interception ➜ Auto-mutate** in settings to let DOM Invader generate canary-based payloads and replay them to the handler.
Field meaning recap:
* **origin** whether the handler validates `event.origin`.
* **data** payload location. If unused, the sink is irrelevant.
* **source** iframe / window reference validation; often weaker than strictorigin checking.
---
### 4. Prototype Pollution
Enable under **Settings ➜ Attack types ➜ Prototype pollution**.
Workflow:
1. **Browse** DOM Invader flags pollution **sources** (`__proto__`, `constructor`, `prototype`) found in URL/query/hash or JSON web-messages.
2. **Test** clicks *Test* to open a PoC tab where `Object.prototype.testproperty` should exist:
```javascript
let obj = {};
console.log(obj.testproperty); // ➜ 'DOM_INVADER_PP_POC'
```
3. **Scan for gadgets** DOM Invader bruteforces property names and tracks whether any end up in dangerous sinks (e.g. `innerHTML`).
4. **Exploit** when a gadget-sink chain is found an *Exploit* button appears that chains source + gadget + sink to trigger alert.
Advanced settings (cog icon):
* **Remove CSP / X-Frame-Options** to keep iframes workable during gadget scanning.
* **Scan techniques in separate frames** to avoid `__proto__` vs `constructor` interference.
* **Disable techniques** individually for fragile apps.
---
### 5. DOM Clobbering
Toggle **Attack types ➜ DOM clobbering**. DOM Invader monitors dynamically created elements whose `id`/`name` attributes collide with global variables or form objects (`<input name="location">` → clobbers `window.location`). An entry is produced whenever user-controlled markup leads to variable replacement.
---
## 6. Settings Overview (2025)
DOM Invader is now split into **Main / Attack Types / Misc / Canary** categories.
1. **Main**
* **Enable DOM Invader** global switch.
* **Postmessage interception** turn on/off message logging; sub-toggles for auto-mutation.
* **Custom Sources/Sinks** *cog icon* ➜ enable/disable specific sinks (e.g. `eval`, `setAttribute`) that may break the app.
2. **Attack Types**
* **Prototype pollution** (with per-technique settings).
* **DOM clobbering**.
3. **Misc**
* **Redirect prevention** block client-side redirects so the sink list isnt lost.
* **Breakpoint before redirect** pause JS just before redirect for call-stack inspection.
* **Inject canary into all sources** auto-inject canary everywhere; configurable source/parameter allow-list.
4. **Canary**
* View / randomize / set custom canary; copy to clipboard. Changes require browser reload.
---
### 7. Tips & Good Practices
* **Use distinct canary** avoid common strings like `test`, otherwise false-positives occur.
* **Disable heavy sinks** (`eval`, `innerHTML`) temporarily if they break page functionality during navigation.
* **Combine with Burp Repeater & Proxy** replicate the browser request/response that produced a vulnerable state and craft final exploit URLs.
* **Remember frame scope** sources/sinks are displayed per browsing context; vulnerabilities inside iframes might need manual focus.
* **Export evidence** right-click the DOM Invader panel ➜ *Save screenshot* to include in reports.
---
## References
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader)
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling)
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-xss](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-xss)
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages)
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution)
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering)
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/canary](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/canary)
- [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/misc](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/misc)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink