Description
domdig scans Single Page Applications (SPAs) for DOM-based XSS vulnerabilities. It uses headless Chrome to crawl the application, tracks DOM sources and sinks, and identifies exploitable DOM XSS. Essential for testing modern React/Angular/Vue apps.
Installation
BASH
npm install -g domdig
# Or from source
git clone https://github.com/fcavallarin/domdig.git
cd domdig && npm installBasic Usage
BASH
# Scan a URL
domdig https://target.com
# With output file
domdig https://target.com -o results.jsonAdvanced Usage
BASH
# Custom cookies (authenticated scanning)
domdig https://target.com -c "session=abc123; token=xyz"
# Custom User-Agent
domdig https://target.com -A "Mozilla/5.0"
# Increase crawling depth
domdig https://target.com --max-depth 5
# Timeout per page
domdig https://target.com --timeout 30000
# Proxy through Burp
domdig https://target.com --proxy http://127.0.0.1:8080DOM XSS Sources & Sinks
TEXT
# Common DOM XSS Sources (user-controlled):
- document.URL
- document.documentURI
- location.href / location.search / location.hash
- document.referrer
- window.name
- postMessage data
# Common DOM XSS Sinks (dangerous functions):
- innerHTML / outerHTML
- document.write / document.writeln
- eval() / setTimeout() / setInterval()
- element.setAttribute("onclick", ...)
- jQuery.html() / jQuery.append()Common Workflows
BASH
# Scan SPA application
domdig https://target.com --max-depth 5 -o dom_xss_results.json
# Manual DOM XSS testing
# 1. Check URL hash: https://target.com/#<img src=x onerror=alert(1)>
# 2. Check URL params: https://target.com/?q=<img src=x onerror=alert(1)>
# 3. Check postMessage handlers in JavaScript
# 4. Search JS for: innerHTML, document.write, eval, $.html