I have recently upgraded to the newest version of Burp which includes the new DAST tools. I am receiving reports from the tool that it has found DOM-Based Javascript Injection, but I am having troubles digesting the output:
Data is read from textarea.value and passed to eval. The source element has id pastBoxField and name pastBoxField. The previous value reached the sink as: (dkezib%2527%2522`'"/dkezib/>xrpjqc&)
In the demo Portswigger posts here: https://portswigger.net/blog/dynamic-analysis-of-javascript The exmaple appears much more complete, with the actual value injected and the proof-of-concept. The output I am getting has none of this. Only what is in blockquotes above and the stack trace at source and sink.
I can't for the life of me seem to recreate this or confirm if this is false positive. I don't have the value injected so even though it could be the value reached at the sink, I can't verify this. I am relatively new to this type of testing, so I am sure there is a way to manually test this. I have been trying to find an in depth description illustrating such a thing but can't find one. Obviously the Portswigger one, but it provides more information than my example.
Can anyone point me in the right direction of how to manually confirm if this is a false positive or not? I don't mind reading through research or something. I realize you can debug in Firefox but I can't figure out how to trace what I need. Please feel free to yell, scold, or point out I am missing something obvious if thats the case.
