Cross-site scripting (DOM-based)
Burp has created 3 different DOM XSS issues with this description with High Severity and Firm Confidence
The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.hash and passed to the 'html()' function of JQuery.
This is the static analysis :
Data is read from window.location.hash and passed to the 'html()' function of JQuery via the following statements:
$("#player" ) .html('<img alt=...' + n+ '"/0.jpg"/...' )
I don't know if it's a false positive but the missing slash before the n makes it look vulnerable.
$("#player" ) .html('<img alt=...' + '/' + n+ '"/0.jpg"/...' ) --> with the slash it shouldn't be vulnerable
where should I inject the new value of n
But I don't understand how can this impact the website or be executed .
How can I exploit this?
Hi Aly, Our support service is for here to provide technical advice with Burp Suite. Unfortunately, we can’t provide specific assistance with fixing individual issues in people’s apps, or providing information on how vulnerabilities can be exploited.
We would recommend that you fully read our information on DOM Based XSS in the Web Security Academy alongside other useful learning materials online such as the OWASP cheat sheet.