Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Addressing XSS vulnerability in window.location.hash?

Bantamchick | Last updated: Apr 09, 2016 01:24AM UTC

When we ran a security scan, the report unearthed the following vulnerability: newHash=window.location.hash; newHash=newHash.split(/_/); $("#"+newHash[1]).siblings().css('display','none'); We addressed it in the following manner: newHash = window.location.hash; newHash = newHash.split(/_/); //we encoded each string in the array derived from splitting the hash newHash.forEach(function(item, index){ var encodedItem = encodeURIComponent(item); if (index > 0){ newHash[index] = encodedItem; } }); //we then used document.querySelectorAll() so that if there is any remaining monkey business, the code will barf before we pass it as a jquery selector. var flyout = document.querySelectorAll("#"+newHash[1]); $(flyout).siblings().css('display', 'none'); However, in the subsequent report that we ran, it is still complaining about: newHash=window.location.hash; newHash=newHash.split(/_/); We just want to know if it is a false positive, or if there are issues we need to address. Thank you for your time.

PortSwigger Agent | Last updated: Apr 10, 2016 08:56AM UTC

Burp's static code analysis tracks possible taint paths from sources to sinks, and doesn't take account of possible "cleansing" operations that might be implemented along those paths. We would recommend manual review of the code and manual testing of the application to gain assurance that your fix is effective.

Burp User | Last updated: Dec 14, 2019 02:03AM UTC