Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How to Delivery Exploit in Burp and how it affects the certification?

Thiago | Last updated: Dec 08, 2021 01:54PM UTC

I would like to show two labs: Reflected XSS into HTML context with all tags blocked except custom ones Reflected XSS with event handlers and href attributes blocked Both exactly same strategy but differents resolution, why i need to use <iframe> for solving the first lab and the the second i need to use location. Why Can I not use or one or the other? How do I need to know which I need to use?

James, PortSwigger Agent | Last updated: Dec 09, 2021 09:57AM UTC

Hi Thiago, Thanks for getting in touch. The solutions are different strategies. Reflected XSS into HTML context with all tags blocked except custom ones - custom HTML tags can be used in this lab, it is a lower difficulty level "practitioner" because the alert function can easily be triggered by using a custom tag. Reflected XSS with event handlers and href attributes blocked - is more difficult "expert" level because all events and anchor href attributes are blocked so the solution is to use a vector for the alert function that is clicked by the victim user. Please refer to the video guides under "Community solutions".

Thiago | Last updated: Dec 09, 2021 08:10PM UTC

Hi James, I understand the difficulty level, but the question is When to use <iframe> or <script>location</script> and any other tag or way to delivery the exploits.

James, PortSwigger Agent | Last updated: Dec 13, 2021 11:56AM UTC