Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Chrome's Dom Invader buggy on sites protected by recaptcha

slicingmelon | Last updated: Oct 11, 2022 01:20PM UTC

Hello, I am trying to use Dom Invader in order to find DOM XSS vulnerabilities on a website that is protected by google recaptcha. As soon as I enable DOM invader, I am getting logged out and when I try to log in it won't work, it has something to do with google's recaptcha. Without DOM Invader, it works fine. Is there anything I could do in this regard? Thank you!

Liam, PortSwigger Agent | Last updated: Oct 12, 2022 06:25AM UTC

Thanks for your message. Is the application publicly accessible? If so, could you provide us with access?

slicingmelon | Last updated: Oct 12, 2022 10:47AM UTC

Hello Liam, unfortunately, it is not publicly accessible. I can tell you that the error is "Could not connect to the reCAPTCHA service. Please check your internet connection and reload to get a reCAPTCHA challenge." Regards

Liam, PortSwigger Agent | Last updated: Oct 12, 2022 01:27PM UTC

If you turn Postmessage interception to OFF in the DOM Invader settings, do you see an improvement?

slicingmelon | Last updated: Oct 24, 2022 02:00PM UTC

Hello Liam, sorry for the late reply. Yep, with DOM Invader OFF, it works, still being on the chromium browser. As soon as I turn DOM Invader ON, I can't use the webapp any more. // UPDATE Now I've noticed that only the Login is broken, aka I can't log in while having DOM Invader ON, it still, seems to be an issue related to recaptcha. So for now I turn off DOM Invader during login, then I turn it back on.

Liam, PortSwigger Agent | Last updated: Oct 25, 2022 10:12AM UTC

Sorry, I didn't mean to turn DOM Invader off completely. Just try turning off postmessage interception in the DOM Invader settings.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.