Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bayotop/sink-logger
Transparently log all data passed into known JavaScript sinks - Sink Logger extension for Burp.
https://github.com/bayotop/sink-logger
burp burp-extensions domxss javascript jython
Last synced: about 1 month ago
JSON representation
Transparently log all data passed into known JavaScript sinks - Sink Logger extension for Burp.
- Host: GitHub
- URL: https://github.com/bayotop/sink-logger
- Owner: bayotop
- Archived: true
- Created: 2018-05-09T13:12:32.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2022-07-20T14:21:13.000Z (over 2 years ago)
- Last Synced: 2024-08-02T00:23:08.180Z (4 months ago)
- Topics: burp, burp-extensions, domxss, javascript, jython
- Language: Python
- Homepage:
- Size: 180 KB
- Stars: 50
- Watchers: 5
- Forks: 13
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-burp-extensions - Sink Logger - Sink Logger is a Burp Suite Extension that allows to transparently monitor various JavaScript sinks. (Logging and Notes / SSRF)
README
**This repository is no longer maintained. See https://portswigger.net/burp/documentation/desktop/tools/dom-invader instead.**
# sink-logger
Transparently log all data passed into known JavaScript sinks - Sink Logger extension for Burp.
### Description
Sink Logger is a Burp Suite Extension that allows to transparently monitor various JavaScript sinks. All data passed into the defined sinks is logged into the browser's console. This is done by injecting a custom [Proxy](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy) initialization script into chosen HTTP responses and "proxifying" all sinks.
### Technical details
The extension intercepts responses and does 2 major things:
- In case the response is HTML or JavaScript it injects a script initializing a custom Proxy.
```JS
var QF9iYXlvdG9w = QF9iYXlvdG9w || new Proxy({}, {
set: function(target, key, value, receiver) {
if (value != undefined && value !== "") {
if ((value + "").startsWith("[object")) {
try {
var svalue = JSON.stringify(value);
} catch(error) {}
}
console.warn(`Sink log (${key}): ${svalue !== undefined ? svalue : value}`);
}
return Reflect.set(target, key, value, receiver);
}
});
```
- It "proxifies" all sinks. Currently 3 different sink types are supported: **.innerHTML**, **eval()** and **document.write()**.
```python
self.sinkPatterns = {
# pattern: replacement passed into re.sub()
r'\.innerHTML=': '.innerHTML=QF9iYXlvdG9w.innerHTML=',
r'eval\(([^)])': r'eval(QF9iYXlvdG9w.eval=\1',
r'document\.write\(([^)])': r'document.write(QF9iYXlvdG9w.write=\1'
}
```
*Note: You can easily add custom sinks, or any other assignment / method call you want to proxify, by extending this dictionary. No other code changes are needed.*
"Proxifying" a sink means to edit existing JavaScript so that every sink is preceded by an assignment to the proxy:
```JS
x.innerHTML=x.trim(); // becomes x.innerHTML=QF9iYXlvdG9w.innerHTML=x.trim();
document.write("string"); // becomes document.write(QF9iYXlvdG9w.write="string");
```
No sematic changes, no syntax errors (please report an issue if you find out otherwise).
### Remarks
- During the process CSP headers (and the `` tag) as well as SRI checks are stripped. **This puts you at risk when surfing the web**.
- Websites may break. The aim is to be completely transparent, in some cases, however, the modifications may result in invalid JavaScript syntax or otherwise break web-apps. Please consider reporting an issue if you encounter such behavior.