Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp Active Scanner failed to detect certain XSS in JSON requests

Albert | Last updated: Nov 14, 2016 07:34AM UTC

Burp Active Scanner is unable to detect certain kinds of JSON parameter which are vulnerable to XSS Please refer to the below screenshot: https://dl.dropboxusercontent.com/u/9636822/jsonxss.png During manual penetration testing, the parameter “isNeedCheckSpecialCountryConsents” is vulnerable to XSS as shown in the screenshot. However, Burp Active Scanner is unable to detect this vulnerability. This happens in other parameters such as “isYoungMember” and “isRuOrAmMember”. It appears that Burp Active scanner is unable to detect certain XSS parameters when data is sent in JSON format -- this happens when type of parameter is a non-string such as Boolean and Integer (while String type parameters can be detected by Burp without much issues). We have tried to play around different scanning configurations in Burp and it does not appear to be a configuration issue and Thorough Scanning is already tuned on FYI.

PortSwigger Agent | Last updated: Nov 14, 2016 09:52AM UTC

Thanks for this feedback. It does look like it is the fact that the base value was not a string that caused Burp to fail to find the issue. In general, Burp will put payloads into string values within JSON. In fact, the request shown in your screenshot it not valid JSON, and so we would expect that most frameworks would just reject the data altogether. We'll have a think about this case and decide what is the best approach for Burp to take.

Burp User | Last updated: Nov 28, 2016 04:19AM UTC