Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Detection of Cross Site Scripting

Karthik | Last updated: Apr 15, 2015 05:59AM UTC

I recently used Burp Suite to perform a XSS scan. A reflected XSS vulnerability was reported. When I reviewed the request and response I noticed that the supplied input is exactly echoed in the output. Case 1 Two inputs below Input and Output: f1466'style='behavior:url(#default#time2)'onbegin='alert(1)'31b9b Input and Output: 508e9"-alert(1)-"dcc3a Case 2 Input : <script>alert(123)</script> Output : alert(123) In both the case, there were no scripts getting executed, like an alert message or prompt. Just the input appeared in the output When there is no script getting executed (visibly) , how can this be harmful ? could you please clarify my doubts ?

PortSwigger Agent | Last updated: Apr 15, 2015 08:36AM UTC

When you say that "there is no script getting executed (visibly)", do you just mean that the alert dialog didn't actually show in your browser? This can happen for various reasons, including the presence of browser anti-XSS filters. The key thing to look at is the syntactic context of the reflected data within the HTML page. Burp chooses XSS payloads that are applicable to that context. So, for example, Burp might use the payload 508e9"-alert(1)-"dcc3a when the input is being reflected within a double-quoted JavaScript string. You need to examine the location of the reflected input (in the location where Burp has highlighted it in the issue response), to determine whether this is a valid issue.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.