Getting started with DOM Invader
We first launched DOM Invader to our early adopters track at the end of June. It is a completely new Burp Suite tool, implemented as an extension in the embedded browser. It's been a nearly a month now since launch, and we've recently released a new set of DOM Invader updates to our early adopter release track . If you haven't had chance to take DOM Invader for a spin, get yourself onto our early adopter channel to see what it can do!
Once you've enabled DOM Invader, there's no end to the fun you can have. Simply fire up Burp Suite and get stuck in with these testing and discovery tips ...
If you want to discover and see every single sink that a site uses, DOM Invader's got your back. Make sure you've got DOM Invader enabled, set the canary value to an empty string, then sit back and observe the site sinks rolling in.
Perhaps you want to automatically test to see if a site has correctly encoded a character before it hits a sink, to see if that sink is vulnerable? If so, you can either inject the canary and additional characters or, you can set the canary to include those characters. If you're feeling adventurous, you can even use JavaScript URLs as a canary - for example: javascript:burpdomxss.
Adding another string to DOM Invader's already impressive bow, it can also find JSON data structures automatically. If you check the "generate automated messages" option in the settings, DOM Invader will use some specially crafted JavaScript to try and guess the structure of messages. If you want to see this in action, enable DOM Invader and the post message option, then visit the "DOM XSS using web messages and JSON.parse " lab on our Web Security Academy.
If it's more attack surface you're after, DOM Invader's got you covered there too. It can help to discover JavaScript-based parameters automatically - the parameters will then appear in the "URLSearchParameters" source in the tree view, giving you a clear view of that additional attack surface.
Last, but by no means least, DOM Invader can automatically inject the canary into every source, saving you time and removing the requirement for manual injection. This last feature is great for automatically finding bugs - simply set the canary to an inject and let DOM Invader do the hard work for you.
Still want to learn more about DOM Invader? Fear not, there's plenty more where that came from. You can read our blog post , introducing the tool as a brand new addition to Burp Suite Professional and Burp Suite Community Edition. If that's not enough for you, read Gareth's full DOM Invader write-up - this covers the discovery journey of the PayPal DOM XSS he found during the testing phase of the tool, and some extra tips for using the new tooling.
For additional support in using DOM Invader, please see our documentation .