AutoVader

AutoVader integrates DOM Invader with Playwright to automatically find DOM-based vulnerabilities through context menu actions. The extension launches an automated browser with DOM Invader configured, injects test payloads, and reports findings as Scanner issues.

Features

• Scan for DOM XSS, prototype pollution, postMessage vulnerabilities, and client-side redirects through automated DOM Invader integration
• Test GET parameters, POST parameters, web messages, and all identified sources with automatic payload injection
• Configure custom payloads, HTML tags, attributes to scan, request delays, and headless operation through project-specific settings
• Auto-trigger scans from Repeater, Intruder, or other extensions using $canary placeholders in requests
• Deduplicate findings across scans and report issues directly to Scanner with unique project-specific canaries
• Automatically detect Chromium and DOM Invader paths with manual override options if needed

Usage

1. Right-click on any request in Target, Proxy History, or Repeater to access the AutoVader context menu
2. Select a scan type such as "Scan all GET params", "Scan for client side prototype pollution", or "Inject into all sources & click everything"
3. AutoVader launches a browser with DOM Invader, navigates to the target with appropriate payloads, and captures vulnerabilities
4. Review the reported Scanner issues for DOM-based vulnerabilities identified during the automated scan
5. Optionally configure settings like custom payloads, scan delays, and auto-run triggers through the AutoVader Settings panel