Burp Suite User Forum

Login to post

Cross-site scripting (DOM-based) - data is read from window.location.href and passed to $()

Yogesh | Last updated: Jul 04, 2022 01:59PM UTC

I'm getting the following error "The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.href and passed to $()." My code looks like this let url = window.location.href; let urlHash = url.split('#'); let faqId = urlHash[1]; let div = $('#' + faqId); I did some R&D but didn't find any case in which the malicious code could be used. Is it a false positive?

Yogesh | Last updated: Jul 04, 2022 03:23PM UTC

And yes, I'm using jQuery version 1.12.4 Here is the full code snippet for referance let url = window.location.href; let urlHash = url.split('#'); let faqId = urlHash[1]; let div = $('#' + faqId); if (div.length >= 1) { div.find(".question").addClass('active'); div.find(".answer").css('display','block'); }

Yogesh | Last updated: Jul 05, 2022 08:41AM UTC

I'm eagerly looking for the answer...

Michelle, PortSwigger Agent | Last updated: Jul 05, 2022 10:42AM UTC

Thanks for your message. Confirming whether or not this is a false positive and whether this is mitigated via any of your security controls is not really a decision we can take for you. Having said that, we do have some resources that may help with your investigations: - https://portswigger.net/web-security/cross-site-scripting/dom-based - https://portswigger.net/blog/introducing-dom-invader - https://portswigger.net/burp/documentation/desktop/tools/dom-invader I hope this helps.

You need to Log in to post a reply. Or register here, for free.