Burp community forum

XSS in json parameters

Pauline | Last updated: Sep 08, 2015 08:39PM UTC

Hello? I have got several XSS issues from the Burp Scanning but they couldn't be exploitable as the response messages have 'Content-Type: application/json' header. I investigated this with old browsers (e.g. IE8) but they didn't execute the script either. In this case, could I say the application is safe from XSS issue? When can this vulnerability still be dangerous? Is there a way to exploit this with general browsers? Any advice would be appreciated. Thank you.

PortSwigger Agent | Last updated: Sep 09, 2015 08:06AM UTC

You are right that Burp is currently a bit too liberal in reporting XSS-like behavior in non-HTML responses. We are planning soon to revisit this and bring Burp's reporting into line with what modern browsers do. This has some subtleties, because the behavior can depend on the stated content type, the actual/inferred content type, the presence of a nosniff header, etc.

Burp User | Last updated: Sep 25, 2015 06:13PM UTC

Have you seen this: https://superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications

PortSwigger Agent | Last updated: Sep 28, 2015 07:55AM UTC

Yes, we're aware of those considerations, and will factor them in when we carry out the work to ensure that Burp's reporting of issues is in line with the way that modern browsers handle non-HTML responses.

PortSwigger Agent | Last updated: Feb 19, 2016 09:44AM UTC

Just to let you know that today's release (1.6.39) improves the logic of Burp's XSS reporting for non-HTML stated content types. Burp will now report exactly which browsers may render a particular response as HTML (if any) and will downgrade the issue to informational if no browser will normally do so.

Burp User | Last updated: Aug 09, 2017 10:00AM UTC

Thank you! qhttps://support.portswigger.net/

You need to Log in to post a reply. Or register here, for free.