Burp Suite User Forum

Create new post

XSS False positive

Joel | Last updated: Nov 03, 2016 11:27AM UTC

I have some reflected XSS reported as high+certain when actually there's no vulnerability. There is a specific header (anti Csrf) which is added by some js on page. Since a request from another domain won't be able to add this header it is not possible to have the reflected work. I blelieve Burp should be able to identify this as a non-XSS. Tx for the great tool, Best regards, Joel Example: POST /path HTTP/1.1 Host: fitnhotel.fr User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: */* Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-TOKEN: ktyLTnoI6twbDdwiTGOG9Wh6JLhHNuECtkV+0= X-Requested-With: XMLHttpRequest Referer: https://x.y.com/path Content-Length: 190 Cookie: some Connection: close type=geographic_area&lat=48.85661400000001v85pw<script>alert(1)<%2fscript>wn686&lng=2.3522219000000177&latupperleft=49.17320081786136&lngupperleft=1.866423025912468&latlowerright=48.538012026909&lnglowerright=2.8318954084877532

PortSwigger Agent | Last updated: Nov 03, 2016 01:54PM UTC

We've given this some thought and we plan to make Burp issue a follow-up request in this situation only containing headers that browsers will issue by default. If the XSS behavior goes away, then Burp will downgrade the issue to tentative confidence.

Burp User | Last updated: Nov 09, 2016 09:32AM UTC

I don't see it as a bug. The CSRF check can be done via headers, via POST or GET variables, the token can have various names, it might be bypass-able (e.g. don't send the header, send an empty value, special characters that break the check, overflow). You see, there are countless possibilities. How could Burp accurately implement and check for all these possibilities? It can't, that's why you are also required to double-check and validate the findings before reporting them. PS: There are a few ways to send headers from another origin.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.