Burp Suite User Forum

Create new post

How to reproduce following POC of dom based open redirection Vulnerability Flagged by burp suite scan

Ahmed | Last updated: Aug 15, 2023 10:32AM UTC

Data is read from location.pathname and passed to xhr.open. The following value was injected into the source: /////hwrylpu593%27%22%60'%22/hwrylpu593/%3E%3Chwrylpu593//%3Egktz6gq8qs& The previous value reached the sink as: /////hwrylpu593'"`'"/hwrylpu593/><hwrylpu593//>gktz6gq8qs&?zqgerl0shg=zqgerl0shg%27%22`'"/zqgerl0shg/><zqgerl0shg/\>v0p1u3tf3q& The stack trace at the source was: at Object.jQyco (<anonymous>:1:109813) at Object.xiELL (<anonymous>:1:521436) at Object._0x4dc2e1 [as proxiedGetterCallback] (<anonymous>:1:537599) at get pathname [as pathname] (<anonymous>:1:236711) at https://www.tink.com/app-347fa0be076631072016.js:2:88301 The stack trace at the sink was: at Object.lbDRJ (<anonymous>:1:107180) at _0x3878e6 (<anonymous>:1:540000) at _0x485a57.<computed>._0x568136.<computed>.<computed>.<computed> [as open] (<anonymous>:1:445933) at https://www.tink.com/app-347fa0be076631072016.js:2:67217 at new Promise (<anonymous>) at d (https://www.tink.com/app-347fa0be076631072016.js:2:67165) at https://www.tink.com/app-347fa0be076631072016.js:2:75661 at async Promise.all (index 1) This was triggered by a readystatechange event. The following proof of concept was generated for this issue: https://www.tink.com/////someurl i can't reproduce it

Dominyque, PortSwigger Agent | Last updated: Aug 15, 2023 10:50AM UTC

Hi Ahmed We will respond to your email about this. Please respond there to keep the thread in one place; thank you.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.