Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Intruder---xss playload add-ons

olek | Last updated: Nov 25, 2020 06:45PM UTC

Hello this is Olek I would like ask about intruder scanner.If I scan some website looking for some xss.I have about 1000 payload. There is some add-ons for burp to check which payload suit for xss. for example <script> alert (1) works on same website .But how do I will be know .Manually check all 1000 payload request takes a lot of Times.

Liam, PortSwigger Agent | Last updated: Nov 26, 2020 11:24AM UTC

Have you checked out the "Harvesting useful data" section of the Using Burp Intruder support page: - https://portswigger.net/burp/documentation/desktop/tools/intruder/using#harvesting-useful-data

olek | Last updated: Nov 26, 2020 01:41PM UTC

no I just ask about something as xss Validator.If you use 1000 line payload. and you want to know which payload works xss pop on some website.How you will be doing this 1.You manual check all 2.Use some additional add-on to Burp. You have free time make coffee. Which add-ons show my this <scrip> payload works on this website ??? This add-ons will inform me about good shot.

Liam, PortSwigger Agent | Last updated: Nov 27, 2020 12:27PM UTC

XSS Validator is a thrid party extension. We'd recommend contacting the author: - https://github.com/PortSwigger/xss-validator

olek | Last updated: Nov 27, 2020 06:54PM UTC

Commits on Feb 13, 2017 do you think he exist ? What profession people as you use in Burp to know my Xss payload is correct on website . You scan for example with 10 thousand payloads. How you will know ?? which is correct. Do you understand question ??

Liam, PortSwigger Agent | Last updated: Nov 30, 2020 10:09AM UTC

In your first message, you suggested you are using Burp Intruder, is that correct? Which version of Burp are you using? Have you tried using Burp Scanner to find XSS issues?

olek | Last updated: Nov 30, 2020 07:48PM UTC

1 Yes 2.The newest for community 3.YES 4.Look how you 'll be know this payload is correct <scrip>alert(1)</script> if in your scant intruder sue 100000 payloads .???

Liam, PortSwigger Agent | Last updated: Dec 01, 2020 11:15AM UTC

Hi Olek, Burp Scanner is not available as part of Burp Community Edition. If you're using Burp Intruder, you'll need to locate the payload in the response and then confirm it works in your browser. - https://portswigger.net/web-security/cross-site-scripting

olek | Last updated: Dec 01, 2020 01:17PM UTC

Hi Now I see you understood my questions . """you'll need to locate the payload in the response and then confirm it works in your browser"" HOW ????? if I have 1000000 payload and scan with intruder works all day . HOW to know which suit for website as XSS ..?????????

Liam, PortSwigger Agent | Last updated: Dec 01, 2020 02:56PM UTC