mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
117 lines
7.6 KiB
Markdown
117 lines
7.6 KiB
Markdown
# DOM Invader
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
## DOM Invader
|
|
|
|
DOM Invader is a browser tool installed in Burp's inbuilt browser. It assists in **detecting DOM XSS vulnerabilities** using various sources and sinks, including web messages and prototype pollution. The tool is preinstalled as an extension.
|
|
|
|
DOM Invader integrates a tab within the browser's DevTools panel enabling the following:
|
|
|
|
1. **Identification of controllable sinks** on a webpage for DOM XSS testing, providing context and sanitization details.
|
|
2. **Logging, editing, and resending web messages** sent via the `postMessage()` method for DOM XSS testing. DOM Invader can also auto-detect vulnerabilities using specially crafted web messages.
|
|
3. Detection of **client-side prototype pollution** sources and scanning of controllable gadgets sent to risky sinks.
|
|
4. Identification of **DOM clobbering vulnerabilities**.
|
|
|
|
### Enable It
|
|
|
|
In the Burp's builtin browser go to the **Burp extension** and enable it:
|
|
|
|
<figure><img src="../../.gitbook/assets/image (1129).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
|
|
|
|
<figure><img src="../../.gitbook/assets/image (695).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
### Inject a Canary
|
|
|
|
In the previous image you can see a **random group of chars, that is the Canary**. You should now start **injecting** it in different parts of the web (params, forms, url...) and each time click search it. DOM Invader will check if the **canary ended in any interesting sink** that could be exploited.
|
|
|
|
Moreover, the options **Inject URL params** and Inject forms will automatically open a **new tab** **injecting** the **canary** in every **URL** param and **form** it finds.
|
|
|
|
### Inject an empty Canary
|
|
|
|
If you just want to find potential sinks the page might have, even if they aren't exploitable, you can **search for an empty canary**.
|
|
|
|
### Post Messages
|
|
|
|
DOM Invader allows testing for DOM XSS using web messages with features such as:
|
|
|
|
1. **Logging web messages** sent via `postMessage()`, akin to Burp Proxy's HTTP request/response history logging.
|
|
2. **Modification** and **reissue** of web messages to manually test for DOM XSS, similar to Burp Repeater's function.
|
|
3. **Automatic alteration** and sending of web messages for probing DOM XSS.
|
|
|
|
#### Message details
|
|
|
|
Detailed information can be viewed about each message by clicking on it, which includes whether the client-side JavaScript accesses the `origin`, `data`, or `source` properties of the message.
|
|
|
|
* **`origin`** : If the **origin information of the message is not check**, you may be able to send cross-origin messages to the event handler **from an arbitrary external domain**. But if it's checked it still could be insecure.
|
|
* **`data`**: This is where the payload is sent. If this data is not used, the sink is useless.
|
|
* **`source`**: Evaluates if the source property, usually referencing an iframe, is validated instead of the origin. Even if this is checked, it doesn't assure the validation can't be bypassed.
|
|
|
|
#### Reply a message
|
|
|
|
1. From the **Messages** view, click on any message to open the message details dialog.
|
|
2. Edit the **Data** field as required.
|
|
3. Click **Send**.
|
|
|
|
### Prototype Pollution
|
|
|
|
DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
|
|
|
|
<figure><img src="../../.gitbook/assets/image (1026).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.
|
|
|
|
If anything is found a **Test** button will appear to **test the found source**. Click on it, a new tab will appear, create an object in the console and check if the `testproperty` exists:
|
|
|
|
```javascript
|
|
let b = {}
|
|
b.testproperty
|
|
```
|
|
|
|
Once you found a source you can **scan for a gadget**:
|
|
|
|
1. A new tab is opened by DOM Invader when the **Scan for gadgets** button, which can be found next to any identified prototype pollution source in the **DOM** view, is clicked. The scanning for suitable gadgets then begins.
|
|
2. Meanwhile, in the same tab, the **DOM Invader** tab should be opened in the DevTools panel. After the scan completes, any sinks accessible via the identified gadgets are displayed in the **DOM** view. For instance, a gadget property named `html` being passed to the `innerHTML` sink is shown in the example below.
|
|
|
|
## DOM clobbering
|
|
|
|
In the previous image it's possible to see that DOM clobbering scan can be turned on. Once done, **DOM Invader will start searching for DOM clobbering vulnerabilities**.
|
|
|
|
## References
|
|
|
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader)
|
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling)
|
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-xss](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-xss)
|
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/web-messages)
|
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/prototype-pollution)
|
|
* [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|