Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Link Manipulation (DOM-based)

Hank | Last updated: Feb 07, 2023 05:47PM UTC

Hi. I'm getting the following Link Manipulation alert that I'd like to make sense of: Data is read from location.href and passed to element.setAttribute.href. The following value was injected into the source: https://website.url.here/?k6hitxewzh=k6hitxewzh%27%22`’"/k6hitxewzh/><k6hitxewzh/\>xvwjz8ywjt&#k6hitxewzh=k6hitxewzh%27%22`'"/k6hitxewzh/><k6hitxewzh/\>xvwjz8ywjt& The previous value reached the sink as: #/ The stack trace at the source was: at Object._0x1e83ce [as proxiedGetterCallback] (<anonymous>:1:770736) at get href [as href] (<anonymous>:1:344838) at ge (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:25197) at ve (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:25328) at e.ensureURL (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:24841) at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:20916 at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:22173 at r (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:17177) at jt (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:17223) at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:22104 at r (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:17177) at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:17205 at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:22015 at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:18776 at h (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:21769) at r (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:17186) at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:17205 at https://website.url.here/js/chunk-vendors.4a1454d7.js:65:22015 at https://website.url.here/js/app.8089f490.js:1:2198989 at l (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:86518) at Generator._invoke (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:87848) at Generator.next (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:86947) at o (https://website.url.here/js/chunk-vendors.4a1454d7.js:48:14509) at s (https://website.url.here/js/chunk-vendors.4a1454d7.js:48:14704) at https://website.url.here/js/chunk-vendors.4a1454d7.js:48:14763 at new Promise (<anonymous>) at new e (https://website.url.here/js/chunk-vendors.4a1454d7.js:54:428376) at https://website.url.here/js/chunk-vendors.4a1454d7.js:48:14648 at https://website.url.here/js/app.8089f490.js:1:2199087 at h (https://website.url.here/js/chunk-vendors.4a1454d7.js:65:21769) The stack trace at the sink was: at Object.ZzNWK (<anonymous>:1:214066) at Object.ZBEoB (<anonymous>:1:755999) at _0xb65e0a (<anonymous>:1:771937) at _0x5792de (<anonymous>:1:684711) at HTMLAnchorElement.setAttribute (<anonymous>:1:686884) at Vi (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:51342) at Ni (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:51079) at Array.Ri (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:50653) at w (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:45436) at h (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:44337) at a.__patch__ (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:48688) at In.t._update (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:27087) at a.r (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:27893) at rr.get (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:30788) at new rr (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:30706) at Pn (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:27917) at xr.$mount (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:66038) at init (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:20676) at d (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:44578) at h (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:44207) at b (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:45192) at h (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:44322) at b (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:45192) at h (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:44322) at b (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:45192) at h (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:44322) at a.__patch__ (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:48688) at In.t._update (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:27087) at a.r (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:27893) at rr.get (https://website.url.here/js/chunk-vendors.4a1454d7.js:38:30788) Is this a false positive? If not, how should I go about resolving it?

Michelle, PortSwigger Agent | Last updated: Feb 08, 2023 02:47PM UTC

Our support service is here to provide technical advice with Burp Suite. Unfortunately, we can't provide specific assistance with dissecting/explaining scan reports, although people in our wider community may be happy to offer advice. If you need to reproduce DOM-based issues, you might find DOM Invader useful: - https://portswigger.net/burp/documentation/desktop/tools/dom-invader

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.