Want to prevent DOM-XSS? Check out Trusted Types and our Burp Suite extention.
7/01/2025 Article
Back to Insights
TLDR;
We’re excited to announce the release of the Trusted Types Checker extension for Burp Suite! This new tool is designed to highlight Trusted Types misconfigurations, a browser security feature that helps prevent DOM-based XSS.
So what is it?
Trusted Types is a fairly new web security feature introduced to mitigate Cross Site Scripting (XSS) vulnerabilities by controlling the content used by potential DOM XSS sinks such as innerHTML and eval. By defining and enforcing policies that specify how and when data can interact with these sinks, Trusted Types provides an additional layer of protection.
Trusted Types policies intervene between the source and sink, effectively disrupting the exploitation chain and ensuring secure handling of untrusted data. Adopting Trusted Types can be challenging. Misconfigured policies, incomplete enforcement, or no implementation at all is common. The Trusted Types Checker extension provides a tool to identify these issues.
Features of the Trusted Types Checker
The Trusted Types Checker extension identifies specific Trusted Types technical issues. These include:
- Default Policy Creation
Detects the use of default policies, which may inadvertently allow unsafe data handling.
- Untrusted Data Return
Flags instances where policies return untrusted data, bypassing the security intent of Trusted Types.
- Missing CSP Directives
Highlights absent directives like require-trusted-types-for and trusted-types in Content Security Policies, crucial for enforcing Trusted Types.
- Use of Insecure Directives
Detects the insecure use of directives such as allow-duplicates, which undermines the strictness of Trusted Types.
- Blank or Default Policies
Identifies the use of blank or poorly defined policies that fail to provide adequate protection.
- Actively Disabled Policies
Flags cases where Trusted Types enforcement has been explicitly disabled in CSP headers.
Where can I find it?
You can find Trusted Types Checker in the BApp store within Burp Suite, and you can also check out the latest version in our GitHub repository!
