Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp Scanner Bug

soufiane | Last updated: Dec 28, 2022 05:34AM UTC

Hi, I recently launched an active scan using Burp scanner, while the issue reporting is acceptable. The request and response are both off most of the time and do not reflect the reported vulnerability. For example, the scanner detected a DOM-based XSS vulnerability and neither the request nor the response reflected the injected payload seen in the Dynamic analysis tab. Take a look at the analysis below, it doesn't make sense: Data is read from input.value and passed to jQuery.prepend. The source element has id twitterTitle and name twitterTitle. The following value was injected into the source: @Twitter The previous value reached the sink as: <div class="left-heading"><h2>b8ngcxp385%2527%2522`'"/b8ngcxp385/><b8ngcxp385/\>cn1t58o3r0&</h2></div> First, I have no idea how the scanner injected the payload `<h2>b8ngcx...` in input.value as it's not in the request. Second, the injected @Twitter doesn't reflect the reached sink and finally, I do not see the payload in the response. Any ideas?

Liam, PortSwigger Agent | Last updated: Dec 28, 2022 03:38PM UTC

Thanks for your message, Soufiane. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts. To deliver a DOM-based XSS attack, you need to place data into a source so that it is propagated to a sink and causes execution of arbitrary JavaScript. - https://portswigger.net/web-security/cross-site-scripting/dom-based Please let us know if you need any further assistance.

soufiane | Last updated: Dec 30, 2022 03:09PM UTC

Liam thanks for your reply, I understand what a DOM XSS is but this post is about a bug in Burp Scanner. As I mentioned above, Burp Scanner said that he injected @Twitter and got the following input `<div class="left-heading"><h2>b8ngcxp385%2527%2522`'"/b8ngcxp385/><b8ngcxp385/\>cn1t58o3r0&</h2></div>` which doesn't make sense. I also don't the injected input in the request nor the response of Burp scanner log.

Hannah, PortSwigger Agent | Last updated: Jan 03, 2023 11:46AM UTC