Burp Suite User Forum

Login to post

Link manipulation (DOM-based) - JQuery

Olga | Last updated: Jan 23, 2019 10:44AM UTC

Hi all, we use jquery-3.3.1.js in our application. Burp scan found a Link manipulation (DOM-based) vulnerabilities in JQuery sources: 1. // Anchor tag for parsing the document origin originAnchor = document.createElement( "a" ); originAnchor.href = location.href; BURP comment: Data is read from location.href and passed to the 'href' property of a DOM element via the following statement: originAnchor.href = location.href; As I can see originAnchor is used in the library just to define if the request is crossDomain or not. So this is not looks like real link manipulation. So, I think the finding is false positive. Am I wrong or not? 2. And one more place was found: // Set the base href for the created document // so any parsed elements with URLs // are based on the document's URL (gh-2965) base = context.createElement( "base" ); base.href = document.location.href; context.head.appendChild( base ); } else { context = document; } BURP comment: Data is read from document.location.href and passed to the 'href' property of a DOM element via the following statement: base.href = document.location.href; I have found a comment in the jquery.js: / Support: Safari 8 only // In Safari 8 documents created via document.implementation.createHTMLDocument // collapse sibling forms: the second one becomes a child of the first one. // Because of that, this security measure has to be disabled in Safari 8. // https://bugs.webkit.org/show_bug.cgi?id=137337 The comment says that the "security measure has to be disabled in Safari 8 (Version: iOS8 (12A365) and newer) ". Thus that means that some security issue is exists, but it seems that just for Safari. I have the same question at Jquery support forum: https://forum.jquery.com/topic/link-manipulation-dom-based They answered: Take it up with the burp people. It’s not even jQuery specific. Could someone tell me if these are real JQuery issues and bugs are needed or the findings are false positive? Thanks, Olga.

PortSwigger Agent | Last updated: Jan 23, 2019 11:31AM UTC

I don't see any significant security impact from either of those, so yes, they are false positives. The JavaScript analysis within Burp is very thorough, but unfortunately does produce some false positives.

You need to Log in to post a reply. Or register here, for free.