# DOM Invader

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-ce8af1068db7be4ad9003f8ddb02fea8f943f1a4%2Farte.png?alt=media" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-ce8af1068db7be4ad9003f8ddb02fea8f943f1a4%2Farte.png?alt=media" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-54ee1fb931f39d1e6f50150361b6aa1927f4ee88%2Fgrte.png?alt=media" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-54ee1fb931f39d1e6f50150361b6aa1927f4ee88%2Fgrte.png?alt=media" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## DOM Invader

DOM Invader is a browser tool installed in Burp's inbuilt browser. It assists in **detecting DOM XSS vulnerabilities** using various sources and sinks, including web messages and prototype pollution. The tool is preinstalled as an extension.

DOM Invader integrates a tab within the browser's DevTools panel enabling the following:

1. **Identification of controllable sinks** on a webpage for DOM XSS testing, providing context and sanitization details.
2. **Logging, editing, and resending web messages** sent via the `postMessage()` method for DOM XSS testing. DOM Invader can also auto-detect vulnerabilities using specially crafted web messages.
3. Detection of **client-side prototype pollution** sources and scanning of controllable gadgets sent to risky sinks.
4. Identification of **DOM clobbering vulnerabilities**.

### Enable It

In the Burp's builtin browser go to the **Burp extension** and enable it:

<figure><img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-0d4cd8ba00b54558171fbf4ba9a43b34185bdd62%2Fimage%20(1129).png?alt=media" alt=""><figcaption></figcaption></figure>

Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**

<figure><img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-38b71f3d46ec54b0987aad7a06f670f82da8f9a0%2Fimage%20(695).png?alt=media" alt=""><figcaption></figcaption></figure>

### Inject a Canary

In the previous image you can see a **random group of chars, that is the Canary**. You should now start **injecting** it in different parts of the web (params, forms, url...) and each time click search it. DOM Invader will check if the **canary ended in any interesting sink** that could be exploited.

Moreover, the options **Inject URL params** and Inject forms will automatically open a **new tab** **injecting** the **canary** in every **URL** param and **form** it finds.

### Inject an empty Canary

If you just want to find potential sinks the page might have, even if they aren't exploitable, you can **search for an empty canary**.

### Post Messages

DOM Invader allows testing for DOM XSS using web messages with features such as:

1. **Logging web messages** sent via `postMessage()`, akin to Burp Proxy's HTTP request/response history logging.
2. **Modification** and **reissue** of web messages to manually test for DOM XSS, similar to Burp Repeater's function.
3. **Automatic alteration** and sending of web messages for probing DOM XSS.

#### Message details

Detailed information can be viewed about each message by clicking on it, which includes whether the client-side JavaScript accesses the `origin`, `data`, or `source` properties of the message.

* **`origin`** : If the **origin information of the message is not check**, you may be able to send cross-origin messages to the event handler **from an arbitrary external domain**. But if it's checked it still could be insecure.
* **`data`**: This is where the payload is sent. If this data is not used, the sink is useless.
* **`source`**: Evaluates if the source property, usually referencing an iframe, is validated instead of the origin. Even if this is checked, it doesn't assure the validation can't be bypassed.

#### Reply a message

1. From the **Messages** view, click on any message to open the message details dialog.
2. Edit the **Data** field as required.
3. Click **Send**.

### Prototype Pollution

DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:

<figure><img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-4fbfba8c76a0ee69a549763c58d9129634eacd6e%2Fimage%20(1026).png?alt=media" alt=""><figcaption></figcaption></figure>

Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.

If anything is found a **Test** button will appear to **test the found source**. Click on it, a new tab will appear, create an object in the console and check if the `testproperty` exists:

```javascript
let b = {}
b.testproperty
```

Once you found a source you can **scan for a gadget**:

1. A new tab is opened by DOM Invader when the **Scan for gadgets** button, which can be found next to any identified prototype pollution source in the **DOM** view, is clicked. The scanning for suitable gadgets then begins.
2. Meanwhile, in the same tab, the **DOM Invader** tab should be opened in the DevTools panel. After the scan completes, any sinks accessible via the identified gadgets are displayed in the **DOM** view. For instance, a gadget property named `html` being passed to the `innerHTML` sink is shown in the example below.

## DOM clobbering

In the previous image it's possible to see that DOM clobbering scan can be turned on. Once done, **DOM Invader will start searching for DOM clobbering vulnerabilities**.

## References

* <https://portswigger.net/burp/documentation/desktop/tools/dom-invader>
* <https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling>
* <https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-xss>
* <https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages>
* <https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution>
* <https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering>

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-ce8af1068db7be4ad9003f8ddb02fea8f943f1a4%2Farte.png?alt=media" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-ce8af1068db7be4ad9003f8ddb02fea8f943f1a4%2Farte.png?alt=media" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-54ee1fb931f39d1e6f50150361b6aa1927f4ee88%2Fgrte.png?alt=media" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-54ee1fb931f39d1e6f50150361b6aa1927f4ee88%2Fgrte.png?alt=media" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angelica.gitbook.io/hacktricks/pentesting-web/xss-cross-site-scripting/dom-invader.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.