Burp Suite User Forum

Create new post

False Positive Tag Rendering in Burpsuite

tanknight | Last updated: Aug 31, 2024 12:32AM UTC

I was testing on a website, and found an Reflected XSS, but it seems it's only working if i open request on browser (with burpsuite link). When i open it manually to the browser, the XSS doesn't work Request: GET /simperpus/index.php?keywords=TESTINGWKWK"><img/src/onerror=prompt(1)>&search=search Burpsuite Response: <a href="index.php?resultXML=true&keywords=TESTINGWKWK"><img/src/onerror=prompt(1)>&search=search" Real Website Response: <a href="index.php?JSONLD=true&amp;keywords=TESTINGWKWK%22%3E%3Cimg/src/onerror=prompt(1)%3E&amp;search=search"

Hannah, PortSwigger Agent | Last updated: Sep 03, 2024 04:28PM UTC

It looks like you can bypass URL encoding when you use Burp, whereas when you perform this in the browser, your special characters are URL-encoded. You can find out more about XSS on our Web Security Academy here: https://portswigger.net/web-security/cross-site-scripting Some of the labs available provide some additional methods to try and exploit XSS when special characters are encoded. For example, "Reflected XSS into a JavaScript string with angle brackets and double quotes HTML-encoded and single quotes escaped".

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.