Burp Suite User Forum

Create new post

"Link manipulation (DOM-based)" false positive - local variable override

Andrii | Last updated: Apr 17, 2016 08:54AM UTC

Hi, Burp Scanner v1.6.38 generated false positive for "Link manipulation (DOM-based)". Excerpt from report: Data is read from location and passed to the 'href' property of a DOM element via the following statements: location = setParameter(location, tokenName, tokenValue); parser.href = url; However, Burp Scanner didn't took into account, that "location" variable is not "window.location", but a local variable inside this function: function injectTokenAttribute(element, attr, tokenName, tokenValue, pageTokens) { var location = element.getAttribute(attr); if(location != null && isValidUrl(location)) { var uri = parseUri(location); var value = (pageTokens[uri] != null ? pageTokens[uri] : tokenValue); if (getParameter(location, tokenName) != tokenValue) { location = setParameter(location, tokenName, tokenValue); try { element.setAttribute(attr, location); } catch (e) { // attempted to set/update unsupported attribute } } } } As you can see there is assignment operation: var location = element.getAttribute(attr); Thanks, Andrii.

PortSwigger Agent | Last updated: Apr 18, 2016 07:58AM UTC

Thanks for this report. We're aware of this problem in that the JS analysis can sometimes confuse local variables with global default variables. Next time we have a push on the code analysis function, we'll get this resolved.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.