Research Academy
My account Customers About Blog Careers Legal Contact Resellers
  1. Support Center
  2. BApp Store
  3. Trusted Types Checker

Professional

Trusted Types Checker

Download BApp

Trusted Types checker is a Burp Suite plugin that checks for a number of misconfigurations of the Trusted Types functionality available in some browsers.

What are Trusted Types?

Trusted Types is a browser security mechanism designed to mitigate Cross-Site Scripting (XSS) attacks by enforcing stricter controls over dynamic content injection into the DOM. In traditional web development, potentially dangerous content such as unsanitised user input can be injected into the DOM using JavaScript APIs like innerHTML or eval, leading to XSS vulnerabilities. Trusted Types introduces a layer of protection by restricting which types of content can be assigned to certain critical DOM APIs. Developers must use "trusted" objects that are created through well-defined policies, rather than raw strings or untrusted inputs, ensuring that only sanitised or vetted content is allowed. This prevents unsafe JavaScript code from being executed via common XSS vectors.

To leverage Trusted Types, developers create policies using the TrustedTypes.createPolicy() function, which defines how untrusted data is processed and converted into a trusted type. The policies can specify allowed content transformations, such as sanitisation of HTML or stripping of unsafe script tags. Trusted Types are enforced through the Content Security Policy (CSP) by using directives like require-trusted-types-for 'script', which forces the browser to allow script execution only if it adheres to Trusted Types policies. Furthermore, developers can specify which policies are trusted via the trusted-types directive, enabling granular control over which policies can be used on a page. This approach significantly reduces the risk of XSS by ensuring only content that has been properly vetted through security policies is dynamically injected into the DOM.

What does this extension check for?

  • Creation of a Trusted Types policy named "default"
  • Trusted Types policies that return untrusted data
  • Missing "require-trusted-types-for 'script'" directive in the application's Content Security Policy (CSP)
  • Missing "trusted-types" directive in the app's CSP
  • Use of the insecure "allow-duplicates" directive in Trusted Types
  • Use of the "default" Trusted Types policy or where the directive is set but with no policy specified
  • Where Trusted Types policies are activtely disabled in CSP

Author

 Author

Felix Ryan

Version

 Version

1.0

Rating

 Rating

Popularity

 Popularity

Last updated

 Last updated

08 January 2025

Estimated system impact

 Estimated system impact

Overall impact: Empty

Memory
Empty
CPU
Empty
General
Empty
Scanner
Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for all BApp Store extensions on our GitHub page.

Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.