Burp Suite User Forum

Login to post

Eliminate False Positives

Costas | Last updated: Jun 27, 2020 12:43PM UTC

Dear All, I run a scan for a website for one of my clients and i have found around 80 Reflected XSS vulnerabilities. Although i am not able to reproduce them on the web browser. Are those false positives. Burp reported such vulnerabilities as high and confidence level is high. Could you elaborate more on this? Request GET /index.php/product-category/computing/peripherals130pxbws'-alert(1)-'o4w6b/laptop-bags13015/ HTTP/1.1 Host: electroline.test.alleo.tech Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Cache-Control: max-age=0 Referer: https://electroline.test.alleo.tech/ Response HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Apr 2020 18:58:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding, Cookie Link: <https://electroline.test.alleo.tech/index.php/wp-json/>; rel="https://api.w.org/" X-Cache: MISS Content-Length: 202523 <!DOCTYPE html> <!--[if IE 7]><html class="ie ie7" lang="el"><![endif]--> <!--[if IE 8]><html class="ie ie8" lang="el"><![endif]--> <!--[if !(IE 7) & !(IE 8)]><!--><html lang="el"><!--<![endif]--> <he ...[SNIP]... er-checkbox" data-value="dell" onclick="window.location.assign( '/index.php/product-category/computing/computers130/desktops13005/?filter100=brand&#038;filter100value1=dell&#038;lang=env5u6j&#039;-alert(1)-&#039;hzqnf' )" id="filter-checkbox_brand_dell" > ...[SNIP]...

Liam, PortSwigger Agent | Last updated: Jun 29, 2020 07:52AM UTC

Could you email the full issue detail to support@portswigger.net? Thanks.

Costas | Last updated: Jun 29, 2020 10:06AM UTC

Hi Liam, I already did. The email subject is False Positives.

Liam, PortSwigger Agent | Last updated: Jun 29, 2020 10:14AM UTC

Thanks, Costas.

You need to Log in to post a reply. Or register here, for free.