The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Dynamic analysis - Cross-site scripting (DOM-based)

Clara | Last updated: Sep 21, 2020 10:12AM UTC

After scanning my application I have Cross-site scripting (DOM-based) reported, details below: Data is read from input.value and passed to jQuery.replaceWith. The source element has id BasicData_CertificateIssueDate and name BasicData.CertificateIssueDate. The following value was injected into the source: 21.01.2004 The previous value reached the sink as: <div class='form-control read-only-plain-text full-site input-sm ea-triggers-bound'>jshdyzk4qe%2527%2522`'"/jshdyzk4qe/><jshdyzk4qe/\>vf8i5jo7pl&</div> I don't understand why value injected is completely different than value reached the sink? How can I confirmed this vulnerability manually? Moreover in the example https://portswigger.net/blog/dynamic-analysis-of-javascript I can see proof of concept but in my results there is no proof of concept, why? Can you point me in the right direction of how to manually confirm this vulnerability or proof that this is false positive?

Uthman, PortSwigger Agent | Last updated: Sep 21, 2020 12:10PM UTC

Hi Clara, That looks like it could be a bug. Which Burp product are you using? And what version? Can you share the full issue details with us? You can reach us on support@portswigger.net

Clara | Last updated: Sep 24, 2020 05:47PM UTC

I am using Burp Suite Professional version 2020.7.

Uthman, PortSwigger Agent | Last updated: Sep 25, 2020 08:17AM UTC