Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Burp suite shows error codes instead of meaningful result.

Hongchul Lee Nov 26, 2019 02:36AM UTC

Hi team,

I am using burp suite v2.1.05.

Regarding the result that burp suite showed about Cookie manipulation (DOM-based),
I would like to ask you what it means below:
Because I can't find any cookie manipulation related code from my source code.

Dynamic analysis

Data is read from input.value and passed to document.cookie.

The source element has id tenantName and name tenantName.

The following value was injected into the source:


The previous value reached the sink as:

mv8uyuuhlh%2527%2522`'"/mv8uyuuhlh/><mv8uyuuhlh/\>x5m89uq3t6&-fido2login=false; path=/; expires=Tue, 26 Nov 2019 18:48:25 GMT;

The stack trace at the source was:

at Object.FjTfo (<anonymous>:1:319569)
at Object.ymznZ (<anonymous>:1:681627)
at HTMLInputElement.get (<anonymous>:1:686561)
at HTMLInputElement.get [as value] (<anonymous>:1:787041)
at Object.val (https://{domain name}:{port}/{context root}/lib/js/jquery/jquery-3.4.1.min.js:2:68704)
at Object.a.fn.val (https://https://{domain name}:{port}/{context root}/lib/js/aui/aui-widgets-1.11.1.min.js:3:31956)
at passwordLogin (https://{domain name}:{port}/{context root}/:352:36)
at doLogin (https://https://{domain name}:{port}/{context root}/:329:13)
at HTMLInputElement.<anonymous> (https://{domain name}:{port}/{context root}/:272:13)
at HTMLInputElement.dispatch (https://{domain name}:{port}/{context root}/lib/js/jquery/jquery-3.4.1.min.js:2:42571)
at HTMLInputElement.v.handle (https://{domain name}:{port}/{context root}/lib/js/jquery/jquery-3.4.1.min.js:2:40572)
at _0x27baa0 (<anonymous>:1:884672)
at Object.pyhcP (<anonymous>:1:345450)
at _0x24df34 (<anonymous>:1:895368)

The stack trace at the sink was:

at Object.hNlNt (<anonymous>:1:337090)
at Object.tJcyh (<anonymous>:1:872853)
at HTMLDocument.Object.<computed>.set (<anonymous>:1:873868)
at setCookie (https://{domain name}:{port}/{context root}/fido/js/util/fidoUtil.js:862:21)
at passwordLogin (https://{domain name}:{port}/{context root}/:352:9)
at doLogin (https://{domain name}:{port}/{context root}/:329:13)
at HTMLInputElement.<anonymous> (https://{domain name}:{port}/{context root}/:272:13)
at HTMLInputElement.dispatch (https://{domain name}:{port}/{context root}/lib/js/jquery/jquery-3.4.1.min.js:2:42571)
at HTMLInputElement.v.handle (https://{domain name}:{port}/{context root}/lib/js/jquery/jquery-3.4.1.min.js:2:40572)
at _0x27baa0 (<anonymous>:1:884672)
at Object.pyhcP (<anonymous>:1:345450)
at _0x24df34 (<anonymous>:1:895368)

This was triggered by a keypress event on an element with an id of username and a name of username with the following HTML:

<input type="text" id="username" name="username" tabindex="1" height="50px" class="sign_input" place


Michelle Gillian Nov 26, 2019 11:29AM UTC Support Center agent

Hi

To help us understand your issue could you email us the full issue detail from Burp Suite to support@portswigger.net.


Post Your public answer

Your name
Your email address
Answer