Testing for DOM XSS with DOM Invader
Last updated: June 1, 2023
Read time: 1 Minute
To learn more about sources and sinks, see DOM-based vulnerabilities.
DOM Invader is pre-installed in Burp's browser. It's disabled by default as some of its features may interfere with your other testing activities.
Before you start
Enable DOM Invader. For more information, see Enabling DOM Invader.
You can follow the processes below using the lab DOM XSS in
document.write sink using source
- Use Burp's browser to visit your target website.
- Right-click the browser window and select Inspect.
- Select the DOM Invader tab and click Copy canary.
- Inject the canary into a potential source.
Identify any controllable sinks from the list in the DOM view.
- Examine the Value column to determine the XSS context.
- Input a string into the source that takes into account the XSS context, to see if you can exploit the vulnerability.
Was this article helpful?
An error occurred, please try again.