Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

BURP-Suite unable to detect HTML Injection (XSS) in my scan

David | Last updated: Jul 02, 2021 04:10AM UTC

Hi, One of my customers reported that he was able to inject a html tag <i>Italic</i> in one of the fields in our app and the html was reflected. I verified what he said and indeed that was true. What I did was I recorded the steps by navigating to the page in question and inserted <i>Italic</i> in one of the fields, and yes, the html tag was rendered. But when I ran a scan using the steps I recorded earlier and the vulnerability was not reported. It seems this vulnerability is happening in many places in our app and we would like the tool to be able to pick up all these issues. Do you think this is a bug in your tool? Any help or advise would be greatly appreciated. Thanks, Dave

Michelle, PortSwigger Agent | Last updated: Jul 02, 2021 11:12AM UTC

Thanks for your message. Can you send an email to support@portswigger.net, please? So we can look into this, can you send us some more details of the requests and responses showing the html tag being rendered, the details of the Burp version, and the scan settings you were using when you scanned the site using Burp so we can check this in some more detail for you, please?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.