Burp Suite User Forum

Create new post

DOM based Link Manipulation false positive

Cyrus | Last updated: Mar 23, 2023 02:35PM UTC

Portswigger, We currently use the enterprise version of burpsuite, currently we have a method of determining if DOM based Link manipulation are false positives or not, we would like to receive some feedback from a portswigger agent to determine if these link manipulation vulnerabilities are true findings or not. Issue detail The application may be vulnerable to reflected DOM-based link manipulation. The value of the title request parameter is copied into a JavaScript string literal. The payload gwfspvkwr8 was submitted in the title parameter. The string containing the payload is then passed to anchor.href. Is the anchor.ref sink in the context of DOM based Link Manipulation considered a false positive? If not, how could we further test this sink to determine confidence of this specific finding. Thank you

Alex, PortSwigger Agent | Last updated: Mar 24, 2023 08:50AM UTC

Hi, Thanks for your post. Unfortunately, we are unable to offer specific advice in relation to vulnerability findings and remediation. Our support function is to provide technical advice on the installation and management of Burp Suite Enterprise; we are unable to offer consultancy for scan results. I have linked some resources below in relation to the vulnerability to assist with your investigations: https://portswigger.net/kb/issues/00501000_link-manipulation-dom-based https://portswigger.net/web-security/dom-based/link-manipulation https://portswigger.net/web-security/dom-based Apologies I could not be of further assistance. Best regards,

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.