Burp Suite User Forum

Create new post

Cross-site scripting (DOM-based)

Ricardo | Last updated: Jan 29, 2018 01:34PM UTC

Burp has created two different tentative DOM XSS issues with this description: "The application may be vulnerable to DOM-based cross-site scripting. Data is read from location and passed to $() via the following statement:" And these are the statements: var path = $(location).attr('pathname') ? $(location).attr('pathname').split('/') : []; and $(location).attr('href', '/' + var1 + '/'); I'm trying to imagine which scenario this would be exploitable. It seems to be a false positive because the variables path and var1 will get the literal value and won't trigger any JavaScript code. Could you please give me a scenario where this could be exploitable? Thanks! Ricardo Iramar

PortSwigger Agent | Last updated: Jan 29, 2018 02:16PM UTC

Hi Ricardo, Thanks for your message. The code is very close to being exploitable. If it was: $(location).attr('href', '' + var1 + '/'); And var1 could be controlled by an attacker, they could inject "javascript:alert(document.domain)" and that would be executed. However, prepending the slash will prevent this. Our static analysis is likely to produce false positives on similar patterns, as we don't attempt to do string analysis. Please let us know if you need any further assistance.

Burp User | Last updated: Jan 29, 2018 06:55PM UTC

Thanks a lot for the feedback. :) I'm trying to reproduce this scenario on Chrome in a page with jquery loaded but probably I'm doing something wrong. var1="javascript:alert(document.domain)" $(location).attr(‘href’, ‘’ + var1 + ’/’); Uncaught SyntaxError: Invalid or unexpected token $(location).attr(‘href’, var1 + ’/’); Uncaught SyntaxError: Invalid or unexpected token If I do a simple test like this: $(location).attr(alert()); I can see the window pop up. Do you have some example for these two issues that I sent before that I can reproduce on Chrome dev tools console? Thanks! Ricardo Iramar

PortSwigger Agent | Last updated: Jan 30, 2018 07:42AM UTC

Hi Ricardo, You're pretty close; I think you just need to add a semi-colon: var1="javascript:alert(document.domain);" To give you example exploits I'd need to see the full Burp output for each finding.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.