Professional Community

DOM Invader

DOM Invader is a tool that makes it much quicker and easier to test for DOM-based cross-site scripting (DOM XSS) vulnerabilities. It comes preinstalled as an extension in Burp's browser.

Normally, identifying and exploiting DOM XSS involves several tedious manual steps, including trawling through complex, minified JavaScript. DOM Invader does a lot of this hard work for you, meaning you can identify interesting behavior in seconds rather than hours.

You access all of DOM Invader's features via the DOM Invader view in the DevTools panel of Burp's browser:

The DOM view enables you to identify all controllable sources and sinks on a page almost instantly, and provides features to help you dive into the client-side code to understand exactly where your injected payload will be executed.
The Messages view enables you to capture, edit, and resend any web messages that are sent on the page. This is almost like a web message equivalent of Burp's Proxy and Repeater tools. You can also let DOM Invader probe for vulnerabilities on your behalf by sending its own, specially crafted messages.

For an overview of how to use DOM Invader, check out the following video demonstration by PortSwigger researcher and the creator of DOM Invader, Gareth Heyes.

PortSwigger Research

Finding DOM Polyglot XSS in PayPal the Easy Way

Enabling DOM Invader

DOM Invader is preinstalled in Burp's browser, but is disabled by default as some of its features may interfere with your other testing activities. To enable it, click the Burp Suite icon in the upper-right corner of Burp's browser (if you can't see it, click the jigsaw icon first), click on Burp Suite, go to the DOM Invader tab, then toggle the DOM Invader is on/off switch. You will then be prompted to click the Reload button in order for your changes to take effect.

Once DOM Invader is enabled, open the browser's DevTools panel. This will now contain a DOM Invader tab. For the best experience, we recommend docking the DevTools panel to the bottom of the browser window.

Note

In Burp, if the User options > Burp's browser > Allow Burp's browser to store settings and history option is enabled, DOM Invader will remember your previous settings, including whether it was on or off. Keep this in mind if you close Burp's browser while DOM Invader is still enabled.

DOM Invader settings

If you click the Burp Suite icon in the upper-right corner of the browser, the DOM Invader tab provides a number of settings that let you change the behavior to suit different testing scenarios.

Postmessage interception: When enabled, you can use the Messages view in the DevTools panel to test for DOM XSS in the site's web messaging functionality. There are also a handful of postmessage-specific settings to let you fine-tune this behavior.
Message filtering by stack trace: Some websites trigger a large number of messages, which can make testing difficult due to the amount of noise. When this setting is enabled, DOM Invader compares the stack trace of each entry and hides any entries that point to the same location in the code as an existing entry.
Auto fire events: When enabled, DOM Invader automatically triggers a click and mouseover event on every element as soon as the page loads. This ensures that any injected payloads that require these events are executed automatically.
Redirection prevention: You may find that some of your actions cause a DOM-based redirect to another page. This can interfere with testing because DOM Invader's views will be cleared and updated with any sources and sinks on the new page instead. If you enable this setting, DOM Invader will block the DOM-based redirects so that you remain on the same page. However, redirects to javascript: URLs, or any redirects initiated by the Inject canary into URL button, will still work as normal.
Inject canary into all sources: When enabled, DOM invader will automatically inject the canary in any identified sources on the page. It will append a unique string to the canary for each source so that you can easily identify which sources flow into each sink. This can save you time as you're able to discover vulnerabilities while just browsing the site. This option is disabled by default as injecting into some sources may prevent you from browsing the site properly. For this reason, you can also exclude problematic sources by clicking the gear icon next to the switch for this setting.
Update canary: By default, DOM Invader uses a random alphanumeric string as the canary, but you can override this with any canary you want. Note that you need to click the Reload button after changing the canary for this to take effect.