DOM Invader - The New Feature of Burp Suite

How to Enable DOM Invader in Burp Suite

Burp Suite's DOM Invader helps you find DOM-based vulnerabilities quickly and efficiently. Once enabled, the tool detects DOM-based Cross Site Scripting directly in the browser -- making XSS discovery fast and straightforward. Activation takes just a few steps:

• Step 1: Open Burp Suite in the Chromium browser.
• Step 2: Open Burp's embedded browser, located on the Proxy tab. If the extension is not pinned by default, click the plug icon to pin it.
• Step 3: Enable the Invader under the extension settings.

With just a few clicks, Burp Suite is ready to use. This makes it well suited for regular everyday use, as well as for more comprehensive security assessments or formal penetration tests.

DOM Invader Settings at a Glance

To get the most out of Burp Suite, you should review the Invader settings. Click the Burp Suite icon in the upper right corner of the browser to open them. These settings control how the suite behaves, allowing you to configure different test scenarios.

• Auto-Fire Events: DOM Invader can automatically trigger click and mouseover events. When the page loads, each element is evaluated accordingly, ensuring that injected payloads execute immediately.
• Stacktrace for Message Filtering: A common challenge when testing websites is the high volume of triggered messages, which create noise and complicate testing. The stacktrace filter hides all entries that reference the same code locations multiple times.
• Intercept Post Messages: Once this option is active, you can test cross-site scripts through the page's web messaging feature. This works via the Postmessage tab in the DevTools panel. Additional fine-tuning options let you customize the behavior further.
• Inject Canary in All Sources: This setting automatically injects the Canary into all identified sources on the page. The program appends a unique string, making it easy to trace which source flows where. This saves valuable time when hunting for vulnerabilities. The option is disabled by default, as it may interfere with proper page loading.
• Prevent Redirects: Your actions may occasionally trigger a DOM-based redirect, which can disrupt your test by clearing and reloading the tabs with a new source. When "Prevent Redirects" is enabled, DOM-based redirections are blocked. Only redirects to JavaScript URLs are preserved, along with those initiated by the "Canary in URL" button.
• Update Canary: The Canary uses a random alphanumeric string by default but can be overwritten with any value. After making changes, you need to reload the page in the Chromium browser for them to take effect.

How DOM Invader Works

Burp Suite's Invader is a powerful tool for detecting DOM XSS vulnerabilities. The values it sends can be analyzed as though they were a reflected XSS. The workflow is simple yet effective:

First, load the page you want to test. The Canary is then injected into a general source or a specific query parameter. Using the DevTools embedded in the Burp Suite browser, open the "Augmented DOM" tab. You will see all sinks and sources that contain the Canary value. The results are displayed in a tree view across all available sources, keeping things clear and easy to navigate. A particularly helpful feature: entries are sorted in descending order of relevance, so the most interesting findings appear at the top.

When you find a relevant entry, you can inspect both the value and its associated stack trace. At this point, it can be useful to add additional characters to the URL parameter or another Canary source. This allows you to quickly determine whether the characters are being encoded correctly.

Clear and Practical in Everyday Use

Whenever you navigate to a different page -- whether through a redirect, forwarding, or similar action -- the Canary reloads automatically. This means most processes run in the background, and you only need to configure a few settings upfront to obtain meaningful results. The clear, list-based presentation of findings makes analysis straightforward.

You will benefit from a comprehensive overview after just a short learning curve. This makes Burp Suite an excellent companion for improving the security of your web applications. The suite is equally well suited for corporate environments and personal single-page web applications alike.

What Is Cross Site Scripting (XSS) and How Does It Work?

Cross Site Scripting is a client-side injection attack in which a malicious script is inserted into an otherwise legitimate website and then executed. The attack begins as soon as a user visits the compromised page. This makes XSS a significant risk -- one that Burp Suite is specifically designed to help mitigate.

The good news is that many XSS vulnerabilities can be uncovered through penetration testing. They are most commonly found in single-page web applications where a large portion of the business logic resides in the frontend. Since this logic is typically written in JavaScript, the Scripting Vulnerability ranks among the most widespread weaknesses in web applications. These attack vectors are also appearing with increasing frequency in API calls, making the vulnerability inherently critical. Notably, XSS attacks are not limited to the client side -- they can also be executed server-side.

The typical goal of such an attack is to steal confidential data, cause system damage, or take over an application entirely. The attack is particularly effective because the malicious code operates within a seemingly trusted context. This makes XSS not only widespread but also highly dangerous.

It is also worth noting that XSS can be used to alter web pages at a fundamental level, enabling attackers to seize control of the browser. Confidential information and passwords can be extracted with relatively little effort by cybercriminals. Burp Suite, however, makes it straightforward to detect precisely these vulnerabilities.