Burp Suite User Forum

Create new post

Link manipulation (DOM-based) - JQuery

Olga | Last updated: Jan 23, 2019 10:44AM UTC

Hi all, we use jquery-3.3.1.js in our application. Burp scan found a Link manipulation (DOM-based) vulnerabilities in JQuery sources: 1. // Anchor tag for parsing the document origin originAnchor = document.createElement( "a" ); originAnchor.href = location.href; BURP comment: Data is read from location.href and passed to the 'href' property of a DOM element via the following statement: originAnchor.href = location.href; As I can see originAnchor is used in the library just to define if the request is crossDomain or not. So this is not looks like real link manipulation. So, I think the finding is false positive. Am I wrong or not? 2. And one more place was found: // Set the base href for the created document // so any parsed elements with URLs // are based on the document's URL (gh-2965) base = context.createElement( "base" ); base.href = document.location.href; context.head.appendChild( base ); } else { context = document; } BURP comment: Data is read from document.location.href and passed to the 'href' property of a DOM element via the following statement: base.href = document.location.href; I have found a comment in the jquery.js: / Support: Safari 8 only // In Safari 8 documents created via document.implementation.createHTMLDocument // collapse sibling forms: the second one becomes a child of the first one. // Because of that, this security measure has to be disabled in Safari 8. // https://bugs.webkit.org/show_bug.cgi?id=137337 The comment says that the "security measure has to be disabled in Safari 8 (Version: iOS8 (12A365) and newer) ". Thus that means that some security issue is exists, but it seems that just for Safari. I have the same question at Jquery support forum: https://forum.jquery.com/topic/link-manipulation-dom-based They answered: Take it up with the burp people. It’s not even jQuery specific. Could someone tell me if these are real JQuery issues and bugs are needed or the findings are false positive? Thanks, Olga.

PortSwigger Agent | Last updated: Jan 23, 2019 11:31AM UTC

I don't see any significant security impact from either of those, so yes, they are false positives. The JavaScript analysis within Burp is very thorough, but unfortunately does produce some false positives.

vignesh | Last updated: Jun 29, 2023 05:58PM UTC

Hi, can you please explain why this is a false positive? Thanks

Hannah, PortSwigger Agent | Last updated: Jun 30, 2023 08:38AM UTC

Whilst link manipulation may be possible, in this case, there is no security impact from attempting to exploit it.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.