Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Missed DOM XSS

Anthony | Last updated: Jan 23, 2015 07:41PM UTC

We were testing your DOM XSS scanning capability against test web sites (from the makers of Ra.2) and noted to obvious false-negatives that were missed. EXAMPLE 1: http://www.daspatnaik.com/test/demo/dom-xss-02.html RESPONSE 1: <html> <head> <title> DOM XSS 02 </title> <script type="text/javascript"> function timedMsg(callback) { if(callback){ var t=setTimeout(eval('callback'),500); return 0; } } function fire() { var call = location.hash.split("#")[1]; timedMsg(call); } </script> </head> <body onload="fire()"> <h4>Example Exploit: dom-xss-02.html#alert(1)</h4> <form> <input type="button" value="Display timed alertbox!" onclick="fire()" /> </form> </body> </html> EXAMPLE 2: http://www.daspatnaik.com/test/demo/dom-xss-03.html RESPONSE 2: <html> <head> <title> DOM XSS 03 </title> <script> function go(){ if (document.location.hash.split("#")[1]) { document.location.replace(document.location.hash.split("#")[1]); } } </script> </head> <body onload="go()"> <h4>Example Exploit: dom-xss-03.html#javascript:alert(1)</h4> <input type="button" id="btn1" value="Click Me" onClick="go()"></input> </body> </html> The other pages at this site where properly identified as vulnerable (http://www.daspatnaik.com/test/demo/dom-xss-(1,4-7).html. This behavior was seen on v.1.6.09 and with the "Maximum analysis time per item (seconds):" setting set to 600 seconds. These seem to be obvious bugs that should be detected, nothing obscure.

PortSwigger Agent | Last updated: Jan 26, 2015 09:46AM UTC