Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Post Request input Reflected on another page.

χαραλαμπος | Last updated: Mar 31, 2022 07:25AM UTC

Hello all, i send a post request with some data that returns ok in the response. The data are stored and can been seen in another page. Is there a way to automate the scanning for stored xss or make the burp active scanner aware of this? Thank you in advance.

Liam, PortSwigger Agent | Last updated: Mar 31, 2022 08:36AM UTC

It sounds like Burp Scanner should perform this check automatically. Is Burp missing this stored XSS issue?

χαραλαμπος | Last updated: Mar 31, 2022 11:38AM UTC

I haven't manage to successfully exploit it yet but it should report that the payload is getting reflected in the page even if the payload is not executed.

Liam, PortSwigger Agent | Last updated: Mar 31, 2022 12:52PM UTC

That is correct, Charalampos. Would it be possible to provide us with the relevant requests and responses demonstrating the issue? If so you can email us via support@portswigger.net.

χαραλαμπος | Last updated: Apr 02, 2022 07:08AM UTC

I found that this is also happening at the lab Stored XSS into anchor href attribute with double quotes HTML-encoded. The scanner puts alot of payloads that gets execute if you manually navigate to the correct page but it never flags the xss.

Liam, PortSwigger Agent | Last updated: Apr 04, 2022 06:35AM UTC

Thanks for the additional information. Would it be possible to provide us with the relevant requests and responses demonstrating the issue?

Luca | Last updated: Jul 31, 2022 11:22AM UTC

Not only that lab, I've recently run Burp active scan on each "Stored xss" lab of the academy both on the root URL and on specific requests, and it can never find a single stored xss. Not sure what I am doing wrong or if there is a sort of regression after this article https://portswigger.net/blog/improved-detection-of-stored-input

Luca | Last updated: Jul 31, 2022 11:34AM UTC

For example what are the correct steps so that Burp can identify the Stored xss in "Stored XSS into HTML context with nothing encoded"? As it cannot find it for me

Luca | Last updated: Jul 31, 2022 06:53PM UTC

After further check it looks like Burp can find the stored xss in "Stored XSS into HTML context with nothing encoded", after a second pass of active scan. However, it doesn't seem to find xss in the other 2 "stored xss" labs, as the scan, even only for the affected parameter (for example the website field of a blog comment for "Stored XSS into anchor href attribute with double quotes HTML-encoded"), takes too long and the environment is deleted.

Liam, PortSwigger Agent | Last updated: Aug 01, 2022 04:23PM UTC

Thanks for your investigation and follow-up, Luca. Our research team agrees that we should find stored XSS in the comment post. I've created a development ticket for our Scanner team to look into this issue. We'll update this thread when we have something to share.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.