Introduction to Burp Suite’s Latest Extension DOM-Invader
This blog post was published on PurpleBox website on July 29th, 2021.
Burp Suite Professional is one of the most popular penetration testing and vulnerability finder tools and is often used for checking web application security.
The recent Burp Suite release adds DOM Invader, a powerful new tool for testing DOM XSS. It also provides improvements to Burp Scanner’s navigation of single-page applications, a new learning resource, and some minor improvements.
DOM-Invader allows you to find DOM-based XSS as easily as Reflected XSS. It works with both community and pro versions of Burp Suite.
DOM-Invader uses canaries. The canaries are a random string of alphanumeric characters. When the canary is injected into a request, in a get parameter or a source, the extension looks for the canary in a sink such as a valve and reports in an easy tree view of where this value hits the sink. The extension can automatically put canaries into URLs and form elements to speed up testing. We will have a better understanding of how convenient it is for easily testing websites with an example.
We have introduced the new features of the DOM Invader extension. Now, let’s run a demo together by using the pro version of Burp Suite 2021.7!
Steps to Follow:
1. Setting up Dom-Invader:
The first thing to do is to click on the proxy tab and click the Open-Browser button for the embedded browser.
If the extension is not pinned by default, you just need to click on the plug icon and pin it. Pinned Burp logo reflects the Burp Suite’s container extension which stores navigation recorder and DOM-Invader extensions.
Navigation Recorder is a walk-through recorder for reproducing recorded steps just like Katalon Studio.
We need to update the canary in DOM-Invader at the bottom with our names or a tracker like burpdomxss and click the Update Canary button.
Right now, we enabled Augmented-DOM.
Note: Augmented-DOM is a part of Dev tools of browser that shows us matching parts of Canary with sinks.
2. Navigation to example Lab and Setting Canary:
We can understand this with a basic example.
Navigate to: https://portswigger-labs.net/dom-invader/testcases/augmented-dom-eval/
As you can see, I set Canary as the name “deniz”.
3-) Triggering Button for Inspecting URL:
After navigating, click the Test button on the up-left corner.
Now you will see that the URL has changed to: https://portswigger-labs.net/dom-invader/testcases/augmented-dom-eval/index.php?x=burpdomxss.
The last part of the URL is x=burpdomxssand because this environment is designed to catch canary “burpdomxss”. But as you would remember, I chose “deniz”. After editing the “x” value, click enter to make a GET request.
4-) Editing the URL for Canary match:
We need to edit the URL for our canary.
5-) Looking at the results in Augmented-DOM
The final step is checking to see if there is a DOM-XSS or not by using Augmented-DOM. By opening the Augmented-DOM, you can press “Ctrl+Shift+I” or right-click and select “Inspect” on the browser. After opening Dev-Tools, you can see Augmented-DOM.
As you can see, our value “deniz” is matched and stored at the stack tree for reporting.
Conclusion:
What we experienced by this Demo was that the canary was injected with a GET request as a parameter when we changed the value “x” in the URL and clicked enter. DOM-Invader found that the canary “deniz” hit a sink, and it reported the value that hit to sink which is the canary we selected.
You can also see the source of vulnerability by clicking “Ctrl+U” or right-click and click “View page source” on the browser. There you can see the eval() function that took the parameter and used it unsafely.
The ‘alert(1)’ pop-up will provide us with a Proof-of-Concept (POC) which everybody likes to see.
Hope this post helped you to have a basic understanding of the Burp Suite’s latest extension DOM-Invader. We believe it is a great tool!
If you want to read more on this topic, feel free to check out the PurpleBox Blog Section.
