The purpose of this plugin is to ease the identification of DOM XSS Sinks and sources.
It injects a trusted types polyfill and default policy into a burp response to log all DOM sinks where HTML gets created and directly written into the DOM e.g. via innerHTML.
The logging happens inside the browser's webconsole e.g. Chrome's console.
Requirements to use it:
- Burp v2020.1 Community or Professional
- Recent Browser e.g. Chrome
- Proxy Switcher e.g. FoxyProxy
Requirements to extend or build it:
- Java 11
- Maven
- Idea e.g. IntelliJ or Eclipse
- Install this plugin via the burp extender e.g. in Burp Community.
- Open your favorite browser and enable the developer tools via F12
- Proxy the relevant requests with Burp and your favorite proxy switcher.
- Enable the plugin. Go to the DomInjector Tab and select the "Enable" checkbox.
- The plugin supports t2o operation modes: 6.1 Logging Mode which basically logs all injection sinks which are considered unsafe 6.2 Taint mode which logs a sink only if the configured taint value get's reflected
Go to the Dom Injector plugin tab to enable and disable the plugin. A taint value is set by default. It is configurable via the input field. Save it and reload you page to make any change effective.
This is the default setting where the plugin's taint mod eis disabled. All usages of createHtml and createScript and createScriptUrl functions will be reported in the browsers webconsole.
- Enable the taint mode via the checkbox.
- Either select a new taint needle or use the preset one.
- Inject it into a source e.g. window name or a cookie.
- If the taint value gets detected in a sink then it will get reported in the browser console.
- If you want to re-enable the way more verbose logging then just untick the operations mode checkbox again.
The plugin is an interceptor which injects some javascript into the response before it get's to the browser. The injected code does not communicate back to Burp. Any output by injected code gets written into the browser console and nowhere else.
Trusted Types are a browser API which helps to write, review and maintain applications free of DOM XSS vulnerabilities. That's at least basically the main goal. It makes critical or dangerous web API functions more secure by instructing user agents to restrict the usage of this known DOM XSS sinks to a predefined set of functions that only accepts non-spoofable, typed values in place of strings. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
The trusted types API provides a default fallback for cases where there is no specific "trusted types" function. This default gets triggered when potential unsafe writes e.g. html to the DOM. That behaviour makes TTs pretty attractive for using the API in a security review, to get an overview of potential dom sinks: It is easy pretty stable, simple to prepare and easy to inject through a proxy and that's exactly what the plugin is doing.
Trusted Types are supported in Chrome 83 and there is a polyfill available for other browsers. The plugin is using currently injecting ES5 polyfill.
The plugin uses the trusted types default policy to inject a very tiny piece of logging and taint detection JS code.
The trusted types policy with a name "default", is a special one. When an value is passed to an injection sink, this policy will be implicitly called by the user agent with the string value as the first argument, and the sink name as a second argument. This can be used to check the string value for taint values coming from a known source, such as our needle value which can be configured in the burp plugin tab.
Run maven to build the plugin.
mvn clean install
Go to the Burp Extender tab, click on "Add" and select the plugin from the target folder.
Feel free to raise feature requests or report bugs as a github issue. Any contributions are welcome. Please follow the linked contribution guidelines https://gist.github.com/MarcDiethelm/7303312
All contents of this repository as well as the compiled output fall under the attached GNU GPL v3 license.