Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Cross Site Scripting (DOM based)

Trafalgar | Last updated: Mar 31, 2021 04:29PM UTC

Burp has created two different tentative DOM XSS issues with this description: "The application may be vulnerable to DOM-based cross-site scripting. Data is read from location and passed to $() via the following statement:" Note: The exploitability of this issue might depend on the specific version of jQuery that is being used. (jquery1.10.2) And these are the statements: $(".dot-nav li a[data-show-slide="+ location +"]").parent("li").addClass("active"); and $(".slide-" + location).addClass("active"); I'm trying to imagine which scenario this would be exploitable. It seems to be a false positive because the variables path and var1 will get the literal value and won't trigger any JavaScript code. Could you please give me a scenario where this could be exploitable? Thanks!

Uthman, PortSwigger Agent | Last updated: Apr 01, 2021 02:21PM UTC

Hi,

Our security researchers have looked into this. Please review the feedback below:

This version of jQuery doesn't seem to let you inject HTML in the selector. Safari will allow you to use raw <> characters in the location via the hash so that could have injected HTML on some versions of Safari.

Note that location in your example will be converted to a string but the http:// part will cause a selector exception, we've tried injecting and it doesn't seem possible on this version.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.