Burp Suite User Forum

Create new post

DOM-based XSS - help

James | Last updated: Feb 18, 2019 12:19AM UTC

Hello, Burp have found DOM-based XSS, i'm not much experienced with JS so i can't really tell how to trigger this XSS. Report looks like this: 1.st Higlight: $('a[id="future_' + spl[1] + '"]').trigger('click').trigger('mouseup'); 2.nd Highlight: var i, ftu, id, title, otab, c = 'active', fun, sp, tpl = format('<li class="{0}"><a id="{1}" data-target="#bookTable" data-toggle="tab">{2} <span class="currentMaxLeverage"></span></a></li>'), fun1, spl = window.location.hash.split('='), mtn = {'Jan':'01','Feb':'02','Mar':'03','Apr':'04','May':'05','Jun':'06','Jul':'07','Aug':'08','Sep':'09','Oct':'10','Nov':'11','Dec':'12'}; From first highlight i can tell that i have to click on something with ID= future_? Second highlight i'm not very sure whatss going on there. I would really appericate help it would help me understand JS more also. Website uses - jQuery 1.4.3

PortSwigger Agent | Last updated: Feb 22, 2019 01:51PM UTC

That's an interesting finding. We've investigated this in some detail and were not able to build a working exploit. We were attempting variants like this: bc. http://test/test.html#param=<img src='x' onerror='console.log(1337)'> However, because your site splits on = that prevents use of = in the exploit. It was suggested that it may be exploitable in Internet Explorer using <script>console.log(1337) instead – although I was unable to get that working either. Pragmatically, we would still recommend this issue be fixed. It is close to being exploitable and definitely bad practice. We'd recommend a strict character whitelist on spl1 – probably just alphanumeric characters. Also, newer versions of JQuery are more robust against XSS in the $() function. There's some relevant information on this page: - https://ttmm.io/tech/jquery-xss/

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.