Potential False Positive DOM Based XSS - 2
Burp reported this below lines as Dom Based XSS vulnerability with Severity: High, Confidence: Firm. I didn't find a way to exploit this lines within a scenario since document.body.classList.add function is used only for creating body tags within class name. (E.g. on the inspector result is <body class="PAYLOAD">). Since this function is escaped characters like " and > there is no way to get outside of the " characters and class attribute. How can this type of XSS vulnerability be exploited, or is it a false positive?
var parts = location.search.split('=');
var part = parts;
Thanks for getting in touch. Yes, this finding looks like a false positive to me. We have a rule for add() because the jQuery add function is an XSS sink. However classList.add is not a sink.
Please let us know if you need any further assistance.