Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Valid XSS not reporting in issues ? Is it me?

Zen | Last updated: Aug 19, 2021 07:01PM UTC

Using a standard test site: http://testphp.vulnweb.com/ <input name="searchFor" type="text" size="10"> Insert simple payload Into search box <script>alert(1);</script> Response: <h2 id='pageName'>searched for: <script>alert(1);</script></h2> http://testphp.vulnweb.com/search.php?test=query will product alert 1 vis xss. I followed https://portswigger.net/support/using-burp-to-manually-test-for-reflected-xss verbatim. Intercept on, etc. Am I missing something? Thanks a lot, Zen

Zen | Last updated: Aug 19, 2021 07:05PM UTC

Just adding raw: POST /search.php?test=query HTTP/1.1 Host: testphp.vulnweb.com Content-Length: 64 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://testphp.vulnweb.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://testphp.vulnweb.com/search.php?test=query Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close searchFor=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&goButton=go Response: <!-- begin content --> <!-- InstanceBeginEditable name="content_rgn" --> <div id="content"> <h2 id='pageName'>searched for: <script>alert(1);</script></h2></div>

Hannah, PortSwigger Agent | Last updated: Aug 20, 2021 11:00AM UTC

Hi If I run an active scan for XSS issues against that location, I receive an issue for reflected XSS. Could you clarify what you are having issues with?

Zen | Last updated: Aug 20, 2021 06:20PM UTC

Hi Hannah, I was running a manual insertion, no scan. I went to the site, sent the request to the repeater, put in the XSS in "Searchfor" with intercept on, sent the request, forwarded it, got the alert in the browser and expected it to report in the issues section. I hope this explains my thought process and expected behaviour. Many Thanks Zen

Hannah, PortSwigger Agent | Last updated: Aug 23, 2021 11:53AM UTC

Hi Zen Have you tried using the BApp Store extension "Add & Tack Custom Issues" (https://portswigger.net/bappstore/404965964a5b402d975b19da5f0abeec)? That should allow you to quickly and easily create a custom issue from a manually found vulnerability, as opposed to from an automated scan which will generate the issue automatically.

Zen | Last updated: Aug 23, 2021 02:25PM UTC

Hi Hannah, Thank you for the excellent tip! I have added it now. All the very best, Zen

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.