Burp Suite User Forum

Create new post

DOM Invader Prototype Pollution Lab

Nydegger | Last updated: Apr 03, 2023 11:40AM UTC

Hello I'm following along the prototype pollution lab. In the section "Finding client-side prototype pollution gadgets using DOM Invader" I follow the solution steps to solve the lab but when I click on the "Scan for Gadgets" Button, the browser opens up a new tab and nothing happens. There is no loading bar and no error messages in the console. Chromium version is: Version 111.0.5563.111 (Official Build) (64-bit) Burp Pro Version: v2023.2.4 Best Regards

Ben, PortSwigger Agent | Last updated: Apr 03, 2023 12:52PM UTC

Hi Marc, Are you able to provide us with some screenshots of the settings that you have configured within DOM Invader (within the 'Main settings', 'Attack types' and 'Misc' sections)? If it is easier to provide these screenshots via email then please feel free to send us an email at support@portswigger.net and we can take a look from there.

Nydegger | Last updated: Apr 04, 2023 07:49AM UTC

Hey Ben, I sent those screenshots your way. I have a second installation of Burp on another computer and there, DOM Invader works as advertised. The prototype pollution settings have the "scan for gadgets ticked off" so I don't understand why it works there but not on this one, where I have "scan for gadgets ticked on". Switching to off on the installation that is not working, did not resolve the problem.

Hannah, PortSwigger Agent | Last updated: Apr 05, 2023 09:00AM UTC

Thanks, we've received your email.

Frisch | Last updated: Apr 26, 2023 02:47PM UTC

Hi, Were you ever able to solve this problem? I'm currently stubbling on it too. Regards, Raphaël

creep33 | Last updated: Apr 27, 2023 11:10AM UTC

Hi, Is there any update about this issue?

Hannah, PortSwigger Agent | Last updated: Apr 28, 2023 08:28AM UTC

Hi We weren't able to get to the bottom of this. Could you provide some additional information: - Your OS - The version of Burp you are using - Whether you are using the standalone JAR or this Installer version of Burp If you're using the installer version of Burp, can you try launching the standalone JAR (or vice versa)? Does this have any impact on the issue? You can find our latest downloads and releases here: https://portswigger.net/burp/releases Our documentation on launching Burp from the command line can be found here: https://portswigger.net/burp/documentation/desktop/getting-started/launch-from-command-line

creep33 | Last updated: May 02, 2023 05:39PM UTC

Hi, the issue is when I use BurpSuite Extension to find Prototype Pollution Vulnerabilities, but when using the extension tool to find the vuln, the is no vulnerability found. This lab cant´t be solved using the Solution CheatSheet. https://portswigger.net/web-security/prototype-pollution/client-side/lab-prototype-pollution-client-side-prototype-pollution-in-third-party-libraries OS: Windows 10 Burp: v2023.3.5 Burp Solution: Burpsuite Installer

Hannah, PortSwigger Agent | Last updated: May 04, 2023 10:16AM UTC

Hi After further investigation, we believe this is related to an issue in DOM Invader with newer versions of Chrome. We're working on updating this, so it should be fixed soon.

Sebastian | Last updated: Sep 18, 2023 03:01PM UTC

Hi, are there any updates on this issue? The problem seems to persist until now.

Ben, PortSwigger Agent | Last updated: Sep 18, 2023 04:23PM UTC

Hi Sebastian, We released a fix for this issue in 2023.5.1 - are you able to confirm which version of Burp you are using so that we can investigate this?

Khaled | Last updated: Mar 01, 2024 06:20PM UTC

Hi Guys, I'm using the latest burp but facing this issue, any luck knowing the solution for this? Burp:2024.2.1 OS: linux mint Openjdk 21.0.2 2024-01-16 OpenJDK Runtime Environment (build 21.0.2+13-Ubuntu-120.04.1) OpenJDK 64-Bit Server VM (build 21.0.2+13-Ubuntu-120.04.1, mixed mode, sharing)

Ben, PortSwigger Agent | Last updated: Mar 04, 2024 09:34AM UTC

Hi Khaled, Just to confirm, you are having issues using the scan for gadgets functionality in the 'Client-side prototype pollution in third-party libraries' lab or something else?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.