Burp Suite User Forum

Login to post

Prototype Pollutions DOM Invader

Sara | Last updated: May 26, 2023 02:09PM UTC

Hi, I was trying to use DOM Invader to automatically find the way to solve the following exercises: Client-side prototype pollution in third-party libraries, DOM XSS via an alternative prototype pollution vector and Client-side prototype pollution via flawed sanitization. DOM Invader correctly find the prototype pollution vectors but after the Scan for the Gadgets it will return anything. How can I solve? Thank you, Sara

Ben, PortSwigger Agent | Last updated: May 29, 2023 08:11AM UTC

Hi Sara, We are aware of an issue with scanning for gadgets using DOM Invader (this is a result of Google altering some code that impacts how the scanning of gadgets was working). We do now have a fix for this issue and it is likely to be released in the 2023.5.1 version of Burp.

nobug | Last updated: Jul 05, 2023 08:49AM UTC

Hi Ben, I encountered the same problem as Sara and I am using burp v2023.6.2(stable). I noticed that as you said in burp v2023.5.1(Early Adopter) and v2023.5.2(stable), you've made a bug fix to DOM Invader, with a release note saying "We have fixed an issue with DOM Invader that prevented it from working properly with newer versions of Chromium." Could you confirm this problem again? Thank you.

nobug | Last updated: Jul 05, 2023 08:51AM UTC

In addition, my test lab was "DOM XSS via an alternative prototype pollution vector"

Michelle, PortSwigger Agent | Last updated: Jul 05, 2023 10:09AM UTC

Hi Thanks for getting in touch and for confirming the lab you were working on :) We are already aware of this issue and have a fix for it coming out in the next Early Adopter release which will be out soon.

You need to Log in to post a reply. Or register here, for free.