StaticBurp – Burp Suite potential DOM XSS Analysis

A few weeks a go I had an idea.

When I get ideas that I think have something worth while in them I note them down for future reference.

The three main points to get this working were:

  • Take Burp response body.
  • Extract JavaScript.
  • Perform Taint Analysis.
  • The first step was to somehow extract HTML responses from Burp Suite, luckily someone had already written a Ruby Burp extender called Buby. I followed this awesome series of blog posts to get myself aquatinted with Buby.

    The next step is to extract the JavaScript from the HTML responses, this is quite trivial to do with the Nokogiri Ruby gem.

    The third step is to analyse the extracted JavaScript for Sinks, Sources and Securing functions (Taint Analysis). This was the hard part, for me at least. Finding this information proved to be hard, I did find some data, however, in the end this is where I stopped pursuing my idea.

    So today Michele “antisnatchor” Orru’ posts a blog post titled ‘Enumerate potential DOM-based XSS vulnerable code’ in which Michele uses a regular expression originally written by Mario “.mario” Heiderich to find JavaScript Sinks and Sources.

    In my original plan I had planned to use Dynamic Taint Analysis, this would have compromised of arrays of Sinks, Sources and Securing functions, however, the regular expression route is much easier as it has already been done for us by Mario. :)

    StaticBurp ALPHA (it’s had limited testing and was written during my lunch break) can be found here:

    To run it first install Buby. Then I used the following command:

    jruby -S buby -i -B /pentest/web/burpsuite/burpsuite_v1.4.01.jar -r Desktop/StaticBurp.rb

    As Michele states in his blog post the output will need manual verification, it will probably produce a lot of false negatives and false positives. It is for now better than nothing.

    5 thoughts on “StaticBurp – Burp Suite potential DOM XSS Analysis

    1. Spoonfed

      Looks to be pretty goddamn awesome.

      As always, you gotta start small and think big and take it one step at a time.

      The first step is there. :)

    2. lava

      There is a Javascript Static Analysis engine built in to IronWASP. But it’s a prototype and quite raw at the moment. I would be rewriting the engine as a standalone project so that you can use from within Burp or ZAP. Might be of some use to your add-on.

    3. sai

      Can you kindly verify the pastebin link and post a new link where I can find your code. Thanks in advace :)

    Comments are closed.