Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact

Burp Suite User Forum

Login to post

Stored XSS in JSON and sequence of events

Chintan | Last updated: Jan 10, 2021 07:26AM UTC

I have a query on this approach. - I have a form submit operation, which calls makes JSON call to POST the data in DB. - Response of that JSON is either true / false and hence input payload is not returned - I am able to insert XSS script in database using the above API call. - I have another call which gets the data in AJAX call and then DOM is rendering the XSS which was inserted in first call Manually I can identify this issue, however is there a way where Burp can locate these kind of XSS issue during auto scan? which involvers JSON calls and multiple sequence of operations (i.e. one to create data and another to view data)

Uthman, PortSwigger Agent | Last updated: Jan 11, 2021 01:15PM UTC

Hi Chintan, How are you launching your scan? Is the issue found if you launch an Active scan instead of a Crawl & Audit? What scan configuration are you using? Is the DOM-based XSS issue selected under Issues Reported?

Chintan | Last updated: Jan 12, 2021 01:29PM UTC

Steps: 1. Capture the traffic using Proxy [Manually visiting pages and intercepting via proxy] 2. Selecting entire application tree from target tab. 3. Right click and select scan option 4. Selecting Scan Type as "Audit selected" Items 5. Kept scan configuration as it is [Default] Note: DOM based XSS is selected by default in the configuration. 6. Consolidated items to scan to remove unwanted request and duplicate calls 7. Scan started. Issue faced: 1. I have POST API call to add a comment in the system. [JSON call] - Response is also JSON This API stores the value in the database. and I am able to insert XSS script "<script>alert(1);</script> using this API. 2. I have another GET API call which fetches comments from database [JSON call] - Response is also JSON Once data is received from this API call, Client side javascript then reads the data from the API Response and renders the UI. at that time we are seeing the inserted XSS script on UI. Auto scan is not able to capture this stored XSS.

Uthman, PortSwigger Agent | Last updated: Jan 12, 2021 03:41PM UTC

Hi Chintan, I have discussed this with our development team and it is not currently possible to detect the XSS in this way since the scanner detects stored data paths for non-DOM-based input retrieval. I have raised a feature request for you and we will update this thread when it has been implemented.

You need to Log in to post a reply. Or register here, for free.