Burp Suite’s Latest Extension, DOM Invader, introduces a powerful new tool for testing DOM XSS. Today, we will walk through the steps of setting up and using DOM Invader, with a focus on a basic example. By the end of this post, you should have a basic understanding of how to use this extension and how it can help you ensure the security of your web applications.

What is Burp Suite?

Burp Suite Professional is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security.

The recent Burp Suite release adds DOM Invader, a powerful new tool for testing DOM XSS. It also provides improvements to Burp Scanner‘s navigation of single-page applications, a new learning resource, and some minor improvements.

DOM-Invader allows you to find DOM-based XSS as easily as Reflected XSS. It works with both community and pro versions of Burp Suite.

DOM-Invader uses canaries. The canaries are a random string of alphanumeric characters. When the canary is injected into a request, in a get parameter or a source, the extension looks for the canary in a sink such as a valve, and reports in an easy tree view of where this value hits the sink. The extension can automatically put canaries into URLs and form elements to speed up testing. We will have a better understanding of how convenient it is to easily test websites with an example.

We have introduced the new features of the DOM Invader extension. Now, let’s run a demo together by using the pro version of Burp Suite 2021.7!

Steps to Follow:

1. Setting up Dom-Invader:

The first thing to do is to click on the proxy tab and click the Open-Browser button for the embedded browser.

If the extension is not pinned by default, you just need to click on the plug icon and pin it. Pinned Burp logo reflects the Burp Suite’s container extension which stores navigation recorder and DOM-Invader extensions.

Navigation Recorder is a walk-through recorder for reproducing recorded steps just like Katalon Studio.

We need to update the canary in DOM-Invader at the bottom with our names or a tracker like burpdomxss and click the Update Canary button.

Right now, we enabled Augmented DOM.

Note: Augmented-DOM is a part of the Dev tools of the browser that shows us matching parts of Canary with sinks.

2. Navigation to example lab and setting canary:

We can understand this with a basic example.

Navigate to: https://portswigger-labs.net/dom-invader/testcases/augmented-dom-eval/

Navigation to example lab and setting canary

As you can see, we set the canary as “deniz”.

Also see: The Ultimate Guide for Broken Authentication

3. Triggering button for inspecting URL:

After navigating, click the Test button on the up-left corner.

Triggering button for inspecting URL

Now you will see that the URL has changed to:

https://portswigger-labs.net/dom-invader/testcases/augmented-dom-eval/index.php?x=burpdomxss.

The last part of the URL is x=burpdomxssand because this environment is designed to catch canary “burpdomxss”. But as you would remember, we chose “deniz”. After editing the “x” value, click enter to make a GET request.

4. Editing the URL for the canary match:

We need to edit the URL for our canary.

Editing the URL for the canary match

5. Looking at the results in Augmented-DOM

The final step is checking to see if there is a DOM-XSS or not by using Augmented-DOM. By opening the Augmented-DOM, you can press “Ctrl+Shift+I” or right-click and select “Inspect” on the browser. After opening Dev-Tools, you can see Augmented-DOM.

Looking at the results in Augmented-DOM

As you can see, our value “deniz” is matched and stored in the stack tree for reporting.

Conclusion

What we experienced in this Demo was that the canary was injected with a GET request as a parameter when we changed the value “x” in the URL and clicked enter. DOM-Invader found that the canary “deniz” hit a sink, and it reported the value that hit to sink which is the canary we selected.

You can also see the source of vulnerability by clicking “Ctrl+U” or right-click and click “View page source” on the browser. There you can see the eval() function that took the parameter and used it unsafely.

the eval() function

The ‘alert(1)’ pop-up will provide us with a Proof-of-Concept (POC) which everybody likes to see, as you can see in the image below:

Proof-of-Concept (POC)

Hope this post helped you to have a basic understanding of the Burp Suite’s latest extension DOM-Invader. We believe it is a great tool!

Check out our Vulnerability Management and Penetration Testing services to stay secure!