PROFESSIONALCOMMUNITY

DOM Invader

DOM Invader is a tool that allows you to test applications for DOM-based cross-site scripting (XSS) vulnerabilities. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts. The Web Security Academy has more information on DOM-based XSS.

You can use DOM Invader to examine and manipulate web messages. DOM Invader can also automatically generate web messages, to look for vulnerable listeners.

DOM Invader is implemented as an extension for Burp Suite's embedded browser, and is controlled from the browser rather than from Burp Suite's interface.

Canary

DOM Invader makes use of a canary. A canary is a unique string that can be injected into a source and then searched for in various sinks. The default canary is a string of eight random alphanumeric characters, but you can change it to something else if you prefer. In the screenshots, we've changed it to burpdomxss to make it clearer.

Starting DOM Invader

To start using DOM Invader, go to the Proxy tab and open Burp Suite's embedded browser. Click on the extension icon at the top right of the browser window to reveal the list of extensions. By default, this will only contain the Burp Suite extension, so click that. The Burp Suite extension is pinned by default.

Embedded browser extensions

The Burp Suite extension is a container for two different extensions: DOM Invader (which has a blue icon) and Navigation Recorder (which has an orange icon). If the Navigation Recorder interface is displayed, click on the DOM Invader tab to open that extension.

Container with both extensions

DOM Invader is switched off by default, as it can break target web applications. Click on the switch to turn DOM Invader on and start using it.

Testing with DOM Invader

Load the site you want to test in the embedded browser and insert the canary string into a query parameter or other source. You can also use the buttons Inject canary into URL to place the canary into every URL parameter and Inject canary into forms to automatically go through every form element and insert a canary.

In the embedded browser, go to the settings menu and click More Tools and then Developer Tools.

Note: The Developer Tools frame may be difficult to read, depending on where it is docked, so we recommend clicking on the settings icon for the developer tools frame and selecting the Dock to bottom icon.

In the Developer Tools frame, click on the Augmented DOM tab. This will show you all the sources and sinks where the canary string appears. DOM Invader displays the sources and sinks in a tree view, and orders them so that the more interesting ones (i.e. those more closely associated with known vulnerabilities) appear first.

Augmented DOM tab

The first listed sink will be expanded by default. Click the arrow next to other sinks or sources to expand them. DOM Invader will display the relevant value and the associated stack trace, and will highlight where the canary or a search query is in the value column.

Click the value cell to toggle the view and see the entire sink value. The stack trace link allows you to find out where in the code the sink executes. Clicking the stack trace link will output the stack trace to the console. Hitting the escape key while the developer tools frame is open will open a console .

DOM Invader stack trace

Click the links in the stack trace to see the relevant code.

Examining the code

When you've spotted your canary in the relevant sink you can then add more characters to the end of the canary in the source. You can then see that value in the Augmented DOM tab to see if it has been correctly encoded, as non-encoded characters can imply a vulnerability.

Within the Augmented DOM tab you can search sinks and sources using the search box. The current canary will be entered into the search box by default.

Web messages

You can use DOM Invader's Postmessage tab to test for web message vulnerabilities. Postmessage functionality is switched off by default. Click the DOM Invader extension icon at the top right of the browser window and then on the switch to turn postmessage interception on. You will be prompted to reload your browser. Postmessage interception will let you see web messages in a table view, and reissue them.

Once you have enabled the feature, click the Reload button to refresh your target site and open Developer Tools in the embedded browser. You will see a new tab called Postmessage. Navigate to a site that contains some web messages and you will see them in the table.

Web messages in DOM Invader

You'll see the following columns in DOM Invader's postmessage tab:

Click on a row to view and manipulate the web message and reissue it by clicking the Send button or by pressing control and enter. When you open a web message, you can see some extra details:

Note: DOM Invader initially classifies all messages as having a vulnerability with a severity of "information" and a confidence level of "tentative", as all messages have the potential to be exploited. DOM Invader will upgrade the issue as it discovers more about the listener.

Open the message to see details

Testing with web messages

You can edit the data of the web message using the box provided. If you have canary injection into messages turned on, you can choose to view the original or manipulated message. We recommend that before you send the message, you show the console drawer by pressing escape while in Developer Tools, as DOM Invader will give you a stack trace every time the origin or data is read when you send the message. You can resend the message as many times as you like.

If you find a vulnerable event listener and you have successfully crafted an exploit in the data box then you can use the Build PoC button to create your proof of concept, similar to the CSRF proof of concept functionality in Burp Suite. This is HTML and JavaScript that helps you reproduce the message that you have sent. The button will copy the PoC to your clipboard.

You can spoof the origin of the web message, in order to find vulnerable listeners, by using the fake origin check box. Alternatively, switch on postmessage origin spoofing in the extensions settings so that DOM Invader will spoof the origin of all messages. These options are switched off by default because they can break the functionality of some sites. Turn the options on by clicking on the DOM Invader icon at the top right of the browser window and selecting the Postmessage spoof origin and Canary injection into messages switches. When enabled, DOM Invader will automatically create a spoofed origin, which has the structure: mysite.com.fakemysite.com with the site you are examining replacing mysite.com. This will help find vulnerable event listeners that use a "starts with" or "ends with" style function or vulnerable regex. If you enable it, DOM Invader will attempt to inject the canary into the data or JSON, and you can then use Augmented DOM to see if the canary lands in a sink and potentially exploit it.

DOM Invader attempts to categorize vulnerabilities. Turning spoof origin on helps DOM Invader to make better guesses to reassess any issues it finds. DOM Invader checks whether the origin is read first, and if the data is read before the origin has been checked (which indicates a vulnerability). Each message is given associated severity and confidence ratings to indicate the likelihood of it being exploitable. Click on the row for more details.

You can search the web message data using the search box. The current canary will be entered into the search box when Inject canary into messages is switched on.

Spoofing origins

Generating automated messages

DOM Invader can automatically discover the vulnerabilities of event listeners. This functionality is turned off by default. To turn it on, click on the DOM Invader icon and then the Generate automated messages switch.

After you've switched this functionality on, browse to a page with the browser's developer tools open and on the Postmessage tab, and DOM Invader will send web messages containing the canary, with a unique number and a hyphen for each message. It will detect if the canary with the unique number and hyphen is found in a non-interesting sink (e.g. a JSON sink) and then DOM Invader will use information from this to structure and send more messages to hit more interesting sinks (such as innerHTML). DOM Invader will attempt to construct and send the sorts of messages that the sinks are listening for.

Messages that DOM Invader has automatically created have an icon instead of a number in the ID column of the postmessage window.

Automatically generated messages

Other options

DOM Invader has other options you can configure. To change any of these options, click on the extension icon at the top right of the browser window and select the relevant switch.