floyd-fuh
commented
6 years ago To put this into perspective, there are built-in DOM-based XSS checks that will flag things as "High" and "Certain" only if they detected code that is also vulnerable. So this extension should not assign the same certainty as this extension does not really check if the site is vulnerable.
h3xstream
First of all thanks for the plugin.
I'm running this Burp extension against a lot of sites. While most Burp extensions try to match a certainty and severity depending on what they found, this plugin will often say Certainty "Certain" and Severity "High":
https://github.com/h3xstream/burp-retire-js/blob/a736361db09da137d0f5d6b761a51d8cfff13e78/retirejs-burp-plugin/src/main/java/burp/vuln/VulnerableLibraryIssueBuilder.java#L41
As a consequence the Target tab of Burp lights up like a christmas tree. However, more than not the vulnerable website is either not using the feature that is vulnerable at all or it is simply not exploitable (e.g. no source for a DOM-based XSS where an attacker could inject). I find that to be true in 90% of the cases. So I would suggest to lower at least the Certainty ranking. Of course the library is old, but that doesn't mean it's vulnerable and when it's not vulnerable this extension is creating false positives. So I would suggest to lower the Certainty to "Tentative". Would that be possible?