Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Link manipulation (DOM-based) - JQuery

Olga Jan 23, 2019 10:44AM UTC

Hi all,

we use jquery-3.3.1.js in our application.
Burp scan found a Link manipulation (DOM-based) vulnerabilities in JQuery sources:

1. // Anchor tag for parsing the document origin
originAnchor = document.createElement( "a" );
originAnchor.href = location.href;

BURP comment: Data is read from location.href and passed to the 'href' property of a DOM element via the following statement:
originAnchor.href = location.href;

As I can see originAnchor is used in the library just to define if the request is crossDomain or not. So this is not looks like real link manipulation. So, I think the finding is false positive.
Am I wrong or not?

2. And one more place was found:

// Set the base href for the created document
// so any parsed elements with URLs
// are based on the document's URL (gh-2965)
base = context.createElement( "base" );
base.href = document.location.href;
context.head.appendChild( base );
} else {
context = document;

BURP comment: Data is read from document.location.href and passed to the 'href' property of a DOM element via the following statement:
base.href = document.location.href;

I have found a comment in the jquery.js:
/ Support: Safari 8 only
// In Safari 8 documents created via document.implementation.createHTMLDocument
// collapse sibling forms: the second one becomes a child of the first one.
// Because of that, this security measure has to be disabled in Safari 8.
The comment says that the "security measure has to be disabled in Safari 8 (Version: iOS8 (12A365) and newer) ". Thus that means that some security issue is exists, but it seems that just for Safari.

I have the same question at Jquery support forum:

They answered: Take it up with the burp people. It’s not even jQuery specific.

Could someone tell me if these are real JQuery issues and bugs are needed or the findings are false positive?


Paul Johnston Jan 23, 2019 11:55AM UTC Support Center agent

I don’t see any significant security impact from either of those, so yes, they are false positives.

The JavaScript analysis within Burp is very thorough, but unfortunately does produce some false positives.

Post Your public answer

Your name
Your email address