Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Dom invader bug?

chain00x | Last updated: Aug 06, 2023 04:47PM UTC

Hi, I found a small problem with dom invader. This is my code of html: <script> function getQueryVariable(variable) { var query = window.location.search.substring(1) var vars = query.split("&") for (var i = 0; i < vars.length; i++) { var pair = vars[i].split("=") if (pair[0] == variable) { return decodeURIComponent(pair[1]) } } return false } function locationReplace(e) { window.location.replace(e); } var url = getQueryVariable("url"); var a = locationReplace(url); </script> I set the canary is test,when I goto http://127.0.0.1/test.html?url=cgg://test.com Plugins are not prompted in developer tools. But when I take sink on,console have a hint: isInteresting true VM51:4 canary cgg VM51:5 sink location.replace VM51:6 stackTrace at Object._0x343e27 [as proxiedLocationFunctionCallback] (<anonymous>:13:462360) at Object.replace (<anonymous>:13:143865) at locationReplace (http://127.0.0.1/test.html?url=cgg://test.com:15:29) at http://127.0.0.1/test.html?url=cgg://test.com:19:17 VM51:7 value cgg://test.com VM51:8 url http://127.0.0.1/test.html?url=cgg://test.com VM51:9 framePath top VM51:10 event VM51:11 outerHTML I want to know if it's my operation or the plugin.

chain00x | Last updated: Aug 06, 2023 04:48PM UTC

Additional note:when I take Sink callback configuration on console have a hint

chain00x | Last updated: Aug 06, 2023 05:09PM UTC

Can trace location.replace when you use this code function locationReplace(e) { setTimeout("window.location.replace(\""+e+"\")", 2000) } var url = new URLSearchParams(window.location.search).get("url") var a = locationReplace(url)

chain00x | Last updated: Aug 06, 2023 05:10PM UTC

Whether the jump is too fast, has not been shown to stop working

Michelle, PortSwigger Agent | Last updated: Aug 07, 2023 01:54PM UTC

Hi Can you confirm which version of Burp you are using so we can have a chat with the team?

Michelle, PortSwigger Agent | Last updated: Aug 09, 2023 09:02AM UTC

One other thought on this one, you might need to prevent redirects. Going to DOM Invader settings->Misc->Prevent redirection will let you see if the canary hits the redirection sink without causing a redirect. https://portswigger.net/burp/documentation/desktop/tools/dom-invader/settings/misc#redirection-prevention

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.