Awesome
This repository is no longer maintained. See https://portswigger.net/burp/documentation/desktop/tools/dom-invader instead.
sink-logger
Transparently log all data passed into known JavaScript sinks - Sink Logger extension for Burp.
Description
Sink Logger is a Burp Suite Extension that allows to transparently monitor various JavaScript sinks. All data passed into the defined sinks is logged into the browser's console. This is done by injecting a custom Proxy initialization script into chosen HTTP responses and "proxifying" all sinks.
Technical details
The extension intercepts responses and does 2 major things:
- In case the response is HTML or JavaScript it injects a script initializing a custom Proxy.
var QF9iYXlvdG9w = QF9iYXlvdG9w || new Proxy({}, {
set: function(target, key, value, receiver) {
if (value != undefined && value !== "") {
if ((value + "").startsWith("[object")) {
try {
var svalue = JSON.stringify(value);
} catch(error) {}
}
console.warn(`Sink log (${key}): ${svalue !== undefined ? svalue : value}`);
}
return Reflect.set(target, key, value, receiver);
}
});
- It "proxifies" all sinks. Currently 3 different sink types are supported: .innerHTML, eval() and document.write().
self.sinkPatterns = {
# pattern: replacement passed into re.sub()
r'\.innerHTML=': '.innerHTML=QF9iYXlvdG9w.innerHTML=',
r'eval\(([^)])': r'eval(QF9iYXlvdG9w.eval=\1',
r'document\.write\(([^)])': r'document.write(QF9iYXlvdG9w.write=\1'
}
Note: You can easily add custom sinks, or any other assignment / method call you want to proxify, by extending this dictionary. No other code changes are needed.
"Proxifying" a sink means to edit existing JavaScript so that every sink is preceded by an assignment to the proxy:
x.innerHTML=x.trim(); // becomes x.innerHTML=QF9iYXlvdG9w.innerHTML=x.trim();
document.write("string"); // becomes document.write(QF9iYXlvdG9w.write="string");
No sematic changes, no syntax errors (please report an issue if you find out otherwise).
Remarks
- During the process CSP headers (and the
<meta>
tag) as well as SRI checks are stripped. This puts you at risk when surfing the web. - Websites may break. The aim is to be completely transparent, in some cases, however, the modifications may result in invalid JavaScript syntax or otherwise break web-apps. Please consider reporting an issue if you encounter such behavior.