{"id":16351398,"url":"https://github.com/thomashartm/burp-domsink-logger","last_synced_at":"2025-03-23T01:30:48.568Z","repository":{"id":46724443,"uuid":"260922818","full_name":"thomashartm/burp-domsink-logger","owner":"thomashartm","description":"Injects a trusted types policy into an HTML page to log all DOM sinks whenever HTML is written into the DOM.","archived":false,"fork":false,"pushed_at":"2023-04-14T17:49:17.000Z","size":54,"stargazers_count":11,"open_issues_count":3,"forks_count":2,"subscribers_count":2,"default_branch":"develop","last_synced_at":"2025-03-18T16:13:23.353Z","etag":null,"topics":["burp","burp-extensions","burp-plugin","burpsuite-extender","cross-site-scripting","domxss","java","javascript","penetration-testing-tools","security-testing","security-tools","trusted-types"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thomashartm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-03T13:15:50.000Z","updated_at":"2023-09-27T19:31:22.000Z","dependencies_parsed_at":"2024-10-28T15:20:37.497Z","dependency_job_id":"c2260fb5-0bfe-4f92-98b7-22a2330148cf","html_url":"https://github.com/thomashartm/burp-domsink-logger","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomashartm%2Fburp-domsink-logger","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomashartm%2Fburp-domsink-logger/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomashartm%2Fburp-domsink-logger/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thomashartm%2Fburp-domsink-logger/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thomashartm","download_url":"https://codeload.github.com/thomashartm/burp-domsink-logger/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245043839,"owners_count":20551840,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["burp","burp-extensions","burp-plugin","burpsuite-extender","cross-site-scripting","domxss","java","javascript","penetration-testing-tools","security-testing","security-tools","trusted-types"],"created_at":"2024-10-11T01:09:19.629Z","updated_at":"2025-03-23T01:30:48.271Z","avatar_url":"https://github.com/thomashartm.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Burp DOM Sink Logger\n[![Build Status Master](https://travis-ci.org/thomashartm/burp-domsink-logger.svg?branch=master)](https://github.com/thomashartm/burp-domsink-logger/tree/master)\n[![Build Status Develop](https://travis-ci.org/thomashartm/burp-domsink-logger.svg?branch=develop)](https://github.com/thomashartm/burp-domsink-logger/tree/develop)\n\nThe purpose of this plugin is to ease the identification of DOM XSS Sinks and sources.\n\nIt injects a trusted types polyfill and default policy into a burp response to \nlog all DOM sinks where HTML gets created and directly written into the DOM \ne.g. via innerHTML.\n\nThe logging happens inside the browser's webconsole e.g. Chrome's console.\n\n# Requirements\nRequirements to use it:\n\n- Burp v2020.1 Community or Professional\n- Recent Browser e.g. Chrome\n- Proxy Switcher e.g. FoxyProxy\n\nRequirements to extend or build it:\n- Java 11\n- Maven\n- Idea e.g. IntelliJ or Eclipse\n\n# How to use it\n1. Install this plugin via the burp extender e.g. in Burp Community.\n2. Open your favorite browser and enable the developer tools via F12\n3. Proxy the relevant requests with Burp and your favorite proxy switcher.\n4. Enable the plugin. Go to the DomInjector Tab and select the \"Enable\" checkbox.\n6. The plugin supports t2o operation modes:\n6.1 Logging Mode which basically logs all injection sinks which are considered unsafe\n6.2 Taint mode which logs a sink only if the configured taint value get's reflected\n\n## Taint value detection vs. logging\nGo to the Dom Injector plugin tab to enable and disable the plugin. \nA taint value is set by default.\nIt is configurable via the input field. \nSave it and reload you page to make any change effective.\n\n### Logging Mode\nThis is the default setting where the plugin's taint mod eis disabled. \nAll usages of createHtml and createScript and createScriptUrl functions will be reported in the browsers webconsole.\n\n### Taint Mode\n1. Enable the taint mode via the checkbox.\n2. Either select a new taint needle or use the preset one. \n3. Inject it into a source e.g. window name or a cookie.\n4. If the taint value gets detected in a sink then it will get reported in the browser console.\n6. If you want to re-enable the way more verbose logging then just untick the operations mode checkbox again.\n  \n## Important hint\nThe plugin is an interceptor which injects some javascript into the response before it get's to the browser.\nThe injected code does not communicate back to Burp.\nAny output by injected code gets written into the browser console and nowhere else.\n\n## Trusted Types \nTrusted Types are a browser API which helps to write, review and maintain applications free of DOM XSS vulnerabilities. \nThat's at least basically the main goal.\nIt makes critical or dangerous web API functions more secure by instructing user agents to restrict the \nusage of this known DOM XSS sinks to a predefined set of functions that only accepts non-spoofable, typed values in place of strings. \nSee https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types\n\n### What is the benefit of using them to identify potential sinks \nThe trusted types API provides a default fallback for cases where there is no specific \"trusted types\" function. \nThis default gets triggered when potential unsafe writes e.g. html to the DOM.\nThat behaviour makes TTs pretty attractive for using the API in a security review, to get an overview of potential dom sinks:\nIt is easy pretty stable, simple to prepare and easy to inject through a proxy and that's exactly what the plugin is doing. \n\n### Browser Support\nTrusted Types are supported in Chrome 83 and there is a polyfill available for other browsers.\nThe plugin is using currently injecting ES5 polyfill.\n\n### Trusted Types Default Policy\nThe plugin uses the trusted types default policy to inject a very tiny piece of logging and taint detection JS code.\n\nThe trusted types policy with a name \"default\", is a special one. \nWhen an value is passed to an injection sink, this policy will be implicitly called by the user agent with the string value as the first argument, and the sink name as a second argument.\nThis can be used to check the string value for taint values coming from a known source, such as our needle value which can be configured in the burp plugin tab.\n\n\n\n\n# How to build and install\n\nRun maven  to build the plugin.  \n    \n    mvn clean install \n    \nGo to the Burp Extender tab, \nclick on \"Add\" and select the plugin from the target folder.\n\n# Contributions\nFeel free to raise feature requests or report bugs as a github issue.\nAny contributions are welcome.\nPlease follow the linked contribution guidelines\nhttps://gist.github.com/MarcDiethelm/7303312\n\n# License\nAll contents of this repository as well as the \ncompiled output fall under the attached GNU GPL v3 license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomashartm%2Fburp-domsink-logger","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthomashartm%2Fburp-domsink-logger","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthomashartm%2Fburp-domsink-logger/lists"}