Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Need clarification in Exploiting XSS using script tags

Madhumathi | Last updated: Aug 26, 2021 07:28AM UTC

I'm a beginner. I tried to create a proof of concept using <script>alert(1)</script> in repeater and I viewed the same in web where the alert box didn't appear, but the mentioned script tag was present in the search box for which I was testing. Does this mean it is vulnerable or not? Kindly clarify.

Uthman, PortSwigger Agent | Last updated: Aug 26, 2021 08:18AM UTC

Hi Madhumathi, You can find some helpful resources on XSS below: - https://portswigger.net/web-security/cross-site-scripting - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet Please give these a read and you should be able to understand the issue a lot better. A lot of applications and modern browsers have some type of XSS protection in place (i.e. sanitizing code in input fields to ensure that certain characters are encoded).

Madhumathi | Last updated: Aug 26, 2021 10:53AM UTC

Hi, thank you for your quick response. I checked both the resources and tried with <body onbeforeprint=console.log(1)> instead of <script>alert(1)</script>. In the burp repeater, when the request was sent without the payload, the given input was found in 10 locations in the response. When I tried with the above print payload it resulted in 15 positions and when I copied and pasted the URL to get Proof of concept, the print didn't appear in the screen, instead the page was redirected to another menu in the same application. I tried to figure out if this is vulnerable or not, but couldn't get a clear idea. Kindly clarify this. Is redirection during XSS exploit mean the web application is vulnerable?

Madhumathi | Last updated: Aug 30, 2021 05:58AM UTC

Hi Team, Kindly let me know if redirection to another page of the same web application a result of vulnerability? Kindly explain. Looking forward to get an answer. Thanks in advance!

Uthman, PortSwigger Agent | Last updated: Aug 31, 2021 12:19PM UTC