DOM XSS via JQuery function init()

Asked May 05 '20 at 03:02

Active May 05 '20 at 03:02

Viewed 452 times

Burp reported potential DOM XSS. Data is read from location and passed to the 'init()' function of JQuery via:

var table = location['table'] || location['sysparm_table'];
snPresence.init(table, sys_id, query);

URL looks as such,

https://publicsite.com/scripts/Scoreboard/js_includes_cmdb_scoreboard.jsx

Is this vulnerable? How can I check if vulnerable with Chrome DevTools?

Portswigger also mentions the init() sink of JQuery as leading to DOM XSS
https://portswigger.net/web-security/cross-site-scripting/dom-based

asked May 05 '20 at 03:02

Roman Nenko

1

Welcome Romanenko! This is probably a method of a library you are using. I think you should investigate inside that init() method. As I know, there is no default init() method of JQuery, please correct me if I am wrong. – Pilfility May 05 '20 at 11:15
1

@Pilfility there is [one](https://github.com/jquery/jquery/blob/master/src/core/init.js?ts=2) but it don't know that it is the one referenced in the code snippet and **anecdotally** it is not something that I have seen used in the wild – iraleigh May 06 '20 at 23:40

0 Answers0