Introduction to Burp Suite’s Latest Extension DOM-Invader

July 28, 2021



What is Burp Suite?

Burp Suite Professional is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security.

The recent Burp Suite release adds DOM Invader, a powerful new tool for testing DOM XSS. It also provides improvements to Burp Scanners navigation of single-page applications, a new learning resource, and some minor improvements.

DOM-Invader allows you to find DOM-based XSS as easily as Reflected XSS. It works with both community and pro versions of Burp Suite.

DOM-Invader uses canaries. The canaries are a random string of alphanumeric characters. When the canary is injected into a request, in a get parameter or a source, the extension looks for the canary in a sink such as a valve and reports in an easy tree view of where this value hits the sink. The extension can automatically put canaries into URLs and form elements to speed up testing. We will have a better understanding of how convenient it is for easily testing websites with an example.

We have introduced the new features of the DOM Invader extension. Now, let’s run a demo together by using the pro version of Burp Suite 2021.7!

Steps to Follow:

1. Setting up Dom-Invader:

The first thing to do is to click on the proxy tab and click the Open-Browser button for the embedded browser.

If the extension is not pinned by default, you just need to click on the plug icon and pin it. Pinned Burp logo reflects the Burp Suite’s container extension which stores navigation recorder and DOM-Invader extensions.

Navigation Recorder is a walk through recorder for reproducing recorded steps just like Katalon Studio.

We need to update the canary in DOM-Invader at the bottom with our names or a tracker like burpdomxss and click the Update Canary button.

Right now, we enabled Augmented DOM.

Note: Augmented-DOM is a part of Dev tools of browser that shows us matching parts of Canary with sinks.

2. Navigation to example lab and setting canary:

We can understand this with a basic example.

Navigate to: https://portswigger-labs.net/dom-invader/testcases/augmented-dom-eval/

Image shows Burp Suite DOM Invader Extension Basic Usage

As you can see, we set the canary as “deniz”.

3. Triggering button for inspecting URL:

After navigating, click the Test button on the up-left corner.

Image shows Dom Based XSS Demo - Triggering Button for Inspecting URL

Now you will see that the URL has changed to:

https://portswigger-labs.net/dom-invader/testcases/augmented-dom-eval/index.php?x=burpdomxss.

The last part of URL is x=burpdomxssand because this environment is designed to catch canary “burpdomxss”. But as you would remember, we chose “deniz. After editing the “x” value, click enter to make a GET request.

4. Editing the URL for canary match:

We need to edit the URL for our canary.

Image shows Dom Based XSS Demo - Editing the URL for Canary match

5. Looking at the results in Augmented-DOM

The final step is checking to see if there is a DOM-XSS or not by using Augmented-DOM. By opening the Augmented-DOM, you can press “Ctrl+Shift+I” or right-click and select “Inspect” on the browser. After opening Dev-Tools, you can see Augmented-DOM.

Image shows Dom Based XSS Demo - Augmented-DOM results view

As you can see, our value “deniz” is matched and stored at the stack tree for reporting.

Conclusion

What we experienced by this Demo was that the canary was injected with a GET request as a parameter when we changed the value “x” in the URL and clicked enter. DOM-Invader found that the canary “deniz” hit a sink, and it reported the value that hit to sink which is the canary we selected.

You can also see the source of vulnerability by clicking “Ctrl+U” or right-click and click “View page source” on the browser. There you can see the eval() function that took the parameter and used it unsafely.

Image shows Dom Based XSS Demo - Explaining Flow of Events with Eval Function

The ‘alert(1)’ pop-up will provide us with a Proof-of-Concept (POC) which everybody likes to see, as you can see in the image below:

Image shows Dom Based XSS Demo - Proof-of-Concept (POC) with the ‘alert(1)’ pop-up

Hope this post helped you to have a basic understanding of the Burp Suite’s latest extension DOM-Invader. We believe it is a great tool!