Burp Suite User Forum

Create new post

Incorrect Issue Type/Advisory Finding & Remediation

grace | Last updated: Jul 27, 2021 09:28PM UTC

Issue:  Browser cross-site scripting filter disabled This issue is incorrect. The remediation says to use "X-XSS-Protection: 1; mode=block" but according to OWASP "The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0" Reference https://owasp.org/www-project-secure-headers/#x-xss-protection This issue should be fixed in the app.

Uthman, PortSwigger Agent | Last updated: Jul 28, 2021 08:42AM UTC

Hi Grace, Setting X-XSS-Protection to 0 would disable XSS filtering entirely. However, this is still supported in Safari and Internet Explorer. When it has been fully deprecated, we will likely update the scan check. Setting "X-XSS-Protection: 1; mode=block" prevents pages from loading when a reflected XSS attack is detected. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.