AutoVader

Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the years I didn't really see many people publicly taking advantage of it. So recently I decided to build an extension that automates DOM Invader from within Burp and gets results back from DOM Invader. AutoVader was born. AutoVader is a Burp Suite extension that integrates DOM Invader with Playwright Java to automatically find DOM-based vulnerabilities in web applications. It provides automated scanning capabilities through context menu actions, allowing security testers to quickly identify client-side security issues without manual DOM Invader interaction.

Project canary

One of the difficulties of automating DOM Invader is passing the correct canary. AutoVader handles all of this. It creates a project canary that is reused throughout the Burp project enabling you to scan with the same canary each time and when issues are created you can use the same request to manually confirm the issue.

How to Use

AutoVader adds a context menu to Burp Suite with multiple scanning options. Right-click on any request in the Target, Proxy History, or Repeater tabs to access AutoVader features.

Available actions

Open DOM Invader

This action is useful when you want to configure DOM Invader for scanning. Such as adding a custom sink such as alert. You can also manually use DOM Invader if you wish.

• Opens a browser with DOM Invader configured for manual testing
• Useful for debugging or custom analysis

Scan all GET params

This passes the URL to DOM Invader and enumerates each parameter and places the canary in the value. You can use the payload setting to pass a vector too if you wish, just go to Burp Settings->Extensions->AutoVader->Payload.

• Automatically enumerates all query parameters
• Injects canary values into each parameter
• Detects DOM-based vulnerabilities from URL inputs

Eval test case

Eval sink demo

Scan all GET params for gadgets

Imagine you have a CSP on your target and you want to find a script gadget. This feature uses the HTML and attributes defined in the settings and enumerates them and places the canary in each attribute. You can check this out yourself using a test case I constructed:

Script gadget test case

• Automatically enumerates all query parameters
• Injects canary into HTML tags and attributes defined in the settings
• Detects DOM-based gadgets from URL inputs

Scan all POST params This works by passing the whole request and enumerates all the POST parameters.

• Automatically enumerates all POST parameters
• Injects canary values into each parameter
• Detects DOM-based vulnerabilities from POST inputs

Scan web messages

This will scan for web message vulnerabilities and reports the findings back to Burp.

• Tests for postMessage vulnerabilities
• Spoofs origins and attempts message injection
• Identifies unsafe message handlers

Web message test case

Inject into all sources

• Systematically injects payloads into all identified sources
• Tests for DOM XSS through various input vectors

Inject into all sources & click everything

• Same as above but also triggers click events
• Useful for finding vulnerabilities in event handlers

Scan for client side prototype pollution

• Detects prototype pollution vulnerabilities
• Tests query string, hash, and JSON inputs
• Verifies pollution with automated checks

Prototype pollution source test case

Scan for client side prototype pollution gadgets

• Discovers exploitable gadgets for prototype pollution
• Identifies dangerous property assignments

Prototype pollution gadgets test case

Intercept client side redirect

• Sets breakpoints on client-side redirects
• Helps identify open redirect vulnerabilities

Settings

AutoVader provides project-specific settings accessible through Burp Suite's Settings:

• Path to DOM Invader: Allows you to overwrite the DOM Invader path if auto-detection fails.
• Path to Burp Chromium: Allows you to overwrite the Chromium path to the executable if auto-detection fails.
• Payload: Custom payload to append to canary values when scanning
• HTML tags to scan: You can scan specific tags for gadgets. Used in conjunction with attributes
• Attributes to scan: Scans specific attributes for gadgets.
• Delay: Delay between requests
• Always open devtools: Each time the browser window is open the devtools panel will be shown
• Remove CSP: Removes Content-Security-Policy headers to ensure DOM Invader functions correctly (enabled by default)
• Headless: Run scans headlessly
• Auto run from Repeater: This runs AutoVader when a Repeater request is sent. Note the request should have the $canary placeholder.
• Auto run from Intruder: This runs AutoVader when a Intruder request is sent. Note the request should have the $canary placeholder.
• Auto run from other extensions: This runs AutoVader when another extension makes a request is sent. Note the request should have the $canary placeholder.

Installation

In Burp Suite Professional, go to Extensions->BApp store and search for AutoVader. Click the install button.

Video demo

You can see it in action in this video demo.