Last updated: September 9, 2021
Read time: 4 Minutes
DOM Invader is a tool that makes it much quicker and easier to testing for DOM-based cross-site scripting (DOM XSS) vulnerabilities. It comes preinstalled as an extension in Burp's embedded Chromium browser.
You access all of DOM Invader's features via two custom tabs the browser's DevTools panel:
- The Augmented DOM tab enables you to identify all controllable sources and sinks on a page almost instantly, and provides features to help you dive into the client-side code to understand exactly where your injected payload will be executed.
- The Postmessage tab enables you to capture, edit, and resend any web messages that are sent on the page. This is almost like a web message equivalent of Burp's Proxy and Repeater tools. You can also let DOM Invader probe for vulnerabilities on your behalf by sending its own, specially crafted messages.
For an overview of how to use DOM Invader, check out the following video demonstration by PortSwigger researcher and the creator of DOM Invader, Gareth Heyes.
Enabling DOM Invader
DOM Invader is preinstalled in Burp's embedded browser but is disabled by default as some of its features may interfere with your other testing activities. To enable it, click the Burp Suite icon in the upper-right corner of the browser (if you can't see it, click the jigsaw icon first), go to the DOM Invader tab, then toggle the DOM Invader is on/off switch. You will then be prompted to click the Reload button in order for your changes to take effect.
Once DOM Invader is enabled, open the browser's DevTools panel. This should now contain the Augmented DOM and Postmessage tabs. For the best experience, we recommend docking the DevTools panel to the bottom of the browser window.
In Burp, if the User options > Embedded browser > Allow the embedded browser to store settings and history option is enabled, DOM Invader will remember your previous settings, including whether it was on or off. Keep this in mind if you close the browser while DOM Invader is still enabled.
DOM Invader settings
If you click the Burp Suite icon in the upper-right corner of the browser, the DOM Invader tab provides a number of settings that let you change the behavior to suit different testing scenarios.
- Postmessage interception: When enabled, you can use the Postmessage tab in the DevTools panel to test for DOM XSS in the site's web messaging functionality. There are also a handful of postmessage-specific settings to let you fine-tune this behavior.
- Message filtering by stack trace: Some websites trigger a large number of messages, which can make testing difficult due to the amount of noise. When this setting is enabled, DOM Invader compares the stack trace of each entry and hides any entries that point to the same location in the code as an existing entry.
- Auto fire events: When enabled, DOM Invader automatically triggers a click and mouseover event on every element as soon as the page loads. This ensures that any injected payloads that require these events are executed automatically.
Redirection prevention: You may find that some of your actions cause a DOM-based redirect to another page. This can interfere with testing because DOM Invader's tabs will be cleared and updated with any sources and sinks on the new page instead. If you enable this setting, DOM Invader will block the DOM-based redirects so that you remain on the same page. However, redirects to
- Inject canary into all sources: When enabled, DOM invader will automatically inject the canary in any identified sources on the page. It will append a unique string to the canary for each source so that you can easily identify which sources flow into each sink. This can save you time as you're able to discover vulnerabilities while just browsing the site. This option is disabled by default as injecting into some sources may prevent you from browsing the site properly. For this reason, you can also exclude problematic sources by clicking the gear icon next to the switch for this setting.
- Update canary: By default, DOM Invader uses a random alphanumeric string as the canary, but you can override this with any canary you want. Note that you need to click the Reload button after changing the canary for this to take effect.