fcavallarin / domdig Goto Github PK

I just cloned the tool and run npm i. I get this error:

npm i
npm ERR! Cannot read properties of undefined (reading 'extraneous')

I updated npm and I am running it on Windows.
npm version: 10.5.2

Hi, I have this page which contains a Reflected DOM XSS, but domdig return an error when I try to scan it.

To Reproduce

Use this HTML POC and serve it with a webserver.

<!DOCTYPE html>
<html>
<head>
    <title></title>
</head>
<body>
<script>
    document.location.href = document.location.hash.substr(1);
</script>
</body>
</html>

Hello, I stumbled across the burp extension and after it not seeming to work due to the cookies not getting passed into it properly maybe due to how the JSON formatting/parsing worked under the hood. I then modified the cmdline that was getting run under the hood when using the burp extension that calls domdig and running that manually while passing it through burp proxy has worked although not without crashes.

I unfortunately can't link the web application that I was using domdig on but I can provide at least two stack traces when the tool crashed.

First stack trace:

/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/Connection.js:61
        _Callback_error.set(this, new Errors_js_1.ProtocolError());
                                  ^
ProtocolError: Protocol error (Page.addScriptToEvaluateOnNewDocument): Target closed
    at new Callback (/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/Connection.js:61:35)
    at CallbackRegistry.create (/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/Connection.js:106:26)
    at Connection._rawSend (/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/Connection.js:216:26)
    at CDPSessionImpl.send (/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/Connection.js:425:78)
    at CDPPage.exposeFunction (/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/Page.js:408:66)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Node.js v18.16.0

Second stack trace:

/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/ElementHandle.js:110
            throw new Error(`Error: failed to find element matching selector "${selector}"`);
                  ^

Error: Error: failed to find element matching selector "fieldset > select"
    at CDPElementHandle.$eval (/home/john/Desktop/burpextensions/domdig/node_modules/puppeteer-core/lib/cjs/puppeteer/common/ElementHandle.js:110:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Node.js v18.16.0

I am honestly not sure how much this helps but this tool seems very interesting and I would genuinely like to get it to work.

For context: using DOM Invader I have discorered a DOM XSS via modiying the location.pathname and was hoping to replicate it with domdig but these errors have not allowed for that to happen yet.

On second though including at least how I ran domdig may be useful:

home/john/.nvm/versions/node/v18.16.0/bin/node /home/john/Desktop/burpextensions/domdig/domdig.js -l -d domdig_manual_attempt10.db -x 40000 -c ".ASPXAUTH=..." -X .*Logout.* -p http:127.0.0.1:8080 https://acme.com/admin

Hi,

I am having issues with running the extension.
The following error is shown after I check 'Just crawl the target' checkbox and press the 'Start Scan' button.

OS: MacOS
Node version: v21.7.2
Burp version: 2024.3.1.4

Thank you in advance.

Regards,

It's better to load payloads from txt file, instead of we paste payloads to js file.

I saw that this tool uses config like this to login:

[
   ["navigate", "https://target.local/login-page"],
   ["write", "#username", "demo"],
   ["write", "#password", "demo"],
   ["sleep", 2],
   ["clickToNavigate", "#btn-login"]
]

But how can I manually login in the page when the page gets opened. For example the page has captcha and I have to put it manually in the captcha field.

In payload.js I saw window.___xssSink({0})

A guide explaining how it works, and how to put it in our payload would be helpful.

Hello!

I think I am having issues with installation.

johnd@kali:~/Github$ cd domdig && npm i && cd ..

[email protected] install /home/johnd/Github/domdig/node_modules/puppeteer
node install.js

Downloading Chromium r686378 - 114 Mb [====================] 100% 0.0s
Chromium downloaded to /home/johnd/Github/domdig/node_modules/puppeteer/.local-chromium/linux-686378
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN The package htcrawl is included as both a dev and production dependency.

added 52 packages from 27 contributors and audited 60 packages in 22.961s

1 package is looking for funding
run npm fund for details

found 0 vulnerabilities

I also tested it against https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink and it doesn't appear to be working. Not sure if I'm doing something wrong?