Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Get to xss cheat sheet, lab2 XSS project?

Mr | Last updated: Jun 09, 2020 03:46PM UTC

Think I have certificate set up correctly I am working on this lab from XSS, it's the second lab: In Burp Intruder, in the Positions tab, click "Clear §". In the request template, replace the value of the search term with: <> Place the cursor between the angle brackets and click "Add §" twice, to create a payload position. The value of the search term should now look like: <§§> Visit the XSS cheat sheet and click "copy tags to clipboard". In Burp Intruder, in the Payloads tab, click "Paste" to paste the list of tags into the payloads list. Click "Start attack". How to 'copy tags to clipboard via xss cheat sheet' as the page won't load when I have 'interceptor on' ?

Uthman, PortSwigger Agent | Last updated: Jun 09, 2020 04:18PM UTC

Have you tried turning intercept off? What is the title of the lab you are trying to complete?

Mr | Last updated: Jun 10, 2020 06:57AM UTC

ok, I have done that, and worked through the tutorial , more or less working now lab is cross site scripting, 'Reflected XSS into HTML context with most tags and attributes blocked' I end up with something like this: <iframe src="https://ace31fb11f793a1e*****c013400d0.web-security-academy.net/?search=%22%3E%3Cbody%20onresize=alert(document.cookie)%3E" onload=this.style.width='100px'> now it says, go to exploit server , paste this in , store, then send however where do i paste it in? in the body, url, or file section? either way, it doesn't solve the lab

Uthman, PortSwigger Agent | Last updated: Jun 10, 2020 08:10AM UTC

You need to replace the body section on the exploit server. Did you replace your lab ID or are you using your exploit server URL in the above? You may find this video solution helpful: - https://www.youtube.com/watch?v=5xh7fC6yNo0

Mr | Last updated: Jun 10, 2020 10:38AM UTC

thanks - yes, I was by mistake using the 'exploit server' id , so had to change that it works now, great!

Uthman, PortSwigger Agent | Last updated: Jun 10, 2020 10:41AM UTC