Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp Scanner fails to detect easy DOM XSS

Takahiro | Last updated: Jun 01, 2024 05:27AM UTC

I am working on Web Security Academy's "Lab: DOM XSS in document.write sink using source location.search inside a select element." In this lab, when I use Burp to scan "https://0a2100230335cfb8808b351500960012.web-security-academy.net/product?productId=1&storeId=test," DOM ​​XSS is not detected. When I checked the JavaScript source, I saw that the storeId loaded by location.search is passed to document.write, and I don't understand why this cannot be detected. Also, similar JavaScript is used in "Lab: DOM XSS in document.write sink using source location.search," but DOM XSS is detected in this lab. I'm confused. I would appreciate any help. Thanks in advance.

Syed, PortSwigger Agent | Last updated: Jun 03, 2024 10:47AM UTC

Hi Takahiro,

Thank you for reporting this in. I have been able to replicate the behaviour. We will need to do run some tests to figure out why this is happening. Once I have an answer for you, I will report back.

Takahiro | Last updated: Jun 03, 2024 02:38PM UTC

Thank you for your prompt response.

Syed, PortSwigger Agent | Last updated: Jun 04, 2024 02:11PM UTC

Hi Takahiro,

Thank you for your patience on this.

Turns out, the reason we do not find the DOM XSS on this lab/URL is because the 'storeId' parameter is not part of the original URL, it is added there and then the XSS is executed. We have already raised a few internal tickets to improve this but in the meantime, you can use the DOM invader to do this:

Turn DOM Invader on
Check inject into all sources
Check the general cog->Sources tab->URLSearchParams”

I hope that helps.

Takahiro | Last updated: Jun 06, 2024 04:35PM UTC