Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Pro 2.0.05beta Dynamic analysis injected values do not match reported value reaching sink

David | Last updated: Sep 13, 2018 03:12PM UTC

This is being reported as Client-side JSON injection (DOM-based). The value injected does not match the value that is reported as reaching the sink. Dynamic analysis Data is read from input.value and passed to JSON.parse. The source element has id ctl01_SelectedPersonID and name ctl01$SelectedPersonID. The following value was injected into the source: 956229 The previous value reached the sink as: m35yar%2527%2522`'"/m35yar/><m35yar/\>gt6cgj& Similar issue this is reported as Ajax request header manipulation (DOM-based). The value injected does not match the value that is reported as reaching the sink. Dynamic analysis Data is read from document.cookie and passed to xhr.setRequestHeader.value. The following value was injected into the source: lu1g0u%2527%2522`'"/lu1g0u/><lu1g0u/\>c6c025& The previous value reached the sink as: pevdo1%27%22`'"/pevdo1/><pevdo1/\>uq1rks&

PortSwigger Agent | Last updated: Sep 13, 2018 03:35PM UTC

Hi David, yes thanks there is bug. In some sources we display the current source value not the injected one. This will be fixed in a future version of Burp. Thanks for reporting.

PortSwigger Agent | Last updated: Sep 14, 2018 01:29PM UTC

Hi David Thanks for your report! This should be fixed in the latest version of Burp.

Burp User | Last updated: Jul 16, 2019 11:45AM UTC

Wondering in which version the issue is fixed. Thanks

Rose, PortSwigger Agent | Last updated: Jul 17, 2019 01:04PM UTC

Srinivas, looks like this was fixed in 2.0.06beta.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.