Burp community forum

XSS detection is inconsistent

Anuradha | Last updated: Aug 30, 2015 10:17AM UTC

HI, I did Active scan for one request on form submission using burp pro v 1.6.17 . It didn't listed any XSS for one hidden parameter which is not encoded . It I do same thing using Intercept proxy XSS is listed . Later We have encoded the parameter and tested for same hidden parameter using manual scan .Its not listed XSS . Just to ensure how Automated scan is working again we removed encoding for same parameter and did Active scanning . Its listed XSS in Scan result for Active scan . What can be reason that why first time its not listed XSS when we do Active scan . Why its listed second time of Active scan ? Please look into this.

PortSwigger Agent | Last updated: Sep 01, 2015 01:14PM UTC

In our testing, Burp behaves consistently in its detection of XSS. There are various things that can cause results of real-world scanning to be non-deterministic, such as occasional network-level errors, changing application state leading to different discovered content or observed behavior, or loss of session. Also, when you are initiating the same item for scanning in different ways, be sure that you are scanning the request that submits the parameter you believe is vulnerable (and not e.g. the request containing the form that makes that request).

You need to Log in to post a reply. Or register here, for free.