Burp Suite User Forum

Create new post

test Cross-site scripting in scanner using encoded payloads

APOORV | Last updated: Sep 13, 2017 08:59PM UTC

Hello , I observed that the scanner was testing reflected XSS issues using payloads that are not URL encoded. This sometimes results in false positives as all modern popular browsers URL-encode special characters in address bar by default. Please let me know your thoughts on this. Nevertheless, Burp is the single greatest tool for a web pentester. Thank you :)

PortSwigger Agent | Last updated: Sep 14, 2017 08:23AM UTC

Hi Apoorv, Thanks for your message. Internet Explorer doesn't encode less-than characters in the address bar, and the browser is widely used, so these issues are valid findings. We're going to keep an eye on this, and if IE changes behavior we'll reconsider how the scanner detects and reports these issues. Please let us know if you need any further assistance.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.