Burp's current Scanner can report a wide range of DOM-based vulnerabilities using static analysis techniques.
Static and dynamic approaches to security testing have different inherent strengths and weaknesses:
- Static analysis (SAST) is able to find some vulnerabilities that dynamic analysis misses, because it can identify code paths that could possibly be executed in the right circumstances, but which don't in fact get executed by the dynamic analysis. However, static analysis is inherently prone to false positives and noise, because it sees some code paths as possibly executable when in fact they are not, and because it fails to understand custom data validation logic that means taint paths from sources to sinks are not in fact exploitable.
- Dynamic analysis (DAST) has the opposite characteristics. It is much less prone to false positives because if it actually observes suitable data being propagated from source to sink during execution, then this is concrete evidence for a vulnerability. However, it can suffer from false negatives in situations where the tainted data that it injects doesn't reach a sink due to the current state of the application or the values of other data, both of which an attacker might in fact be able to control.