Burp Xss Validator

  1. Xss Validator Burp Suite
  2. Burp Xss Validator 10
  3. Burp Xss Validator 3
  4. Xss Validator Burp Extension

This extension sends responses to a locally-running XSS-Detector server, powered by either Phantom.js and/or Slimer.js

The XSS Validator from Nvisium solves this problem by using phantomjs to set up a server that receives and verifies XSS findings exported from the Burp Suite interface. It’s a must for testing a target with a large attack surface and a valuable addition to the Burp Suite core.


Best app to create instagram grid

Before starting an attack it is necessary to start the XSS-Detector servers. Navigate to the xss-detector directory and execute the following:

Burp Suite and XSS Validator One problem with automated and semi-automated solutions for XSS is distinguishing signal from noise. To do that, a useful Burp plugin, XSS Validator, runs a PhantomJS-powered web server to receive the results of Burp queries and looks for a string injected into the alert call embedded within the applied XSS snippets. Xss javascript validation burp-suite. Improve this question. Follow asked Oct 17 '16 at 18:14. User5781826 user5781826. 11 1 1 bronze badge. Why do you feel that there is an error? – grochmal Oct 17 '16 at 18:55. Please do not post text as images. The XSS Validator from Nvisium is designed to solve this problem. It verifies XSS findings exported from the Burp Suite interface in a Phantomjs server designed to receive, analyze, and validate possible XSS snippets. The extension is critical for testing a target with a large attack surface.

$ phantomjs xss.js &
$ slimerjs slimer.js &

The server will listen by default on port 8093. The server is expecting base64 encoded page responses passed via the http-response, which will be passed via the Burp extender.

Navigate to the xssValidator tab, and copy the value for Grep Phrase. Enter this value within the Burp Intruder grep-match function. Payloads that match this Grep Phrase indicate successful execution of XSS payload.


Within the xss-detector directory there is a folder of examples which can be used to test the extenders functionality.

  • Basic-xss.php: This is the most basic example of a web application that is vulnerable to XSS. It demonstrates how legitimate javascript functionality, such as alerts and console logs, do not trigger false-positives.
  • Bypass-regex.php: This demonstrates a XSS vulnerability that occurs when users attempt to filter input by running it through a single-pass regex.
  • Dom-xss.php: A basic script that demonstrates the tools ability to inject payloads into javascript functionality, and detect their success.

Requires Java version 7

AuthorJohn Poulin
Last updated25 January 2017

Please note that JavaScript must be enabled to display rating and popularity information.

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

In this post I want to share a very cool BurpSuite extension called xssValidator. When you are faced with a large application to test it is impossible to check all input fields manually right?. We must rely on some kind of automation to ensure that we have covered the whole application surface. The problem with automated scanning is that it can result in a good proportion of false positives.
1. Cross-Site Scripting
One of the major vulnerabilities you will come across is Cross-Site Scripting or XSS. These type of flaws occur when an application takes untrusted data and sends it to the browser without proper validation. This could allow attackers to inject scripts into the victims browser causing web defacement, session hijacking etc. As you can imagine checking for a hundred or more XSS flaws manually is not much fun.
Burp Xss ValidatorIn order to reduce the number of false positives during automated scanning the team @ nVisium created the xssValidator extender. Along with creating the extension they also created a custom PhantomJS server. PhantomJS is a headless (no browser required) WebKit scriptable with a JavaScript API. The purpose of the server is to process and build a DOM from HTTP responses. The DOM is then used to check if the JavaScript has executed.
2. Requirements
There are three requirements for using xssValidator:
  • Java 7.0 or higher installed
  • PhantomJS
  • BurpSuite - Pro or Free (I used the free version and it worked fine)

3. Installing The Extension
The first thing we need to do is download the extender here. Next we need to install it in Burp:
Navigate to the extender tab at the top. Click on the add button, ensure extension type is Java and select the location of the JAR file:

Xss Validator Burp Suite

When you click next you should see the screen below. If it has installed correctly there should be no errors in the output below.

4. Setting Up Our Target And BurpSuite Intruder
The next thing to do is set up Intruder and our target. For our target we will be using the bWAPP vulnerable web application. It has a number of XSS vulnerabilities, for this demo we will use the vulnerable POST page.

You need to configure your browser so that it is going through BurpSuite. You should see a request like below:
If you right click on the request a number of options will appear. Select 'Send to Intruder'. We need to configure a few options in the Intruder tab. In Payload Sets select Payload Type - Extension-generated. Then select Generator and select XSS Validator Payloads and ok.
Click the add button under Payload Processing, and select Invoke Burp Extension from the dropdown menu. Select the XSS Validator processor, and click ok.
Now under the positions tab select the payload positions by using the add button. We are focusing on the firstname and lastname parameters.
Under the options tab, browse down to the Grep – Match section, and enter the string “fy7sdufsuidfhuisdf”. This string is returned by the Burp Extender if the payload successfully triggers an XSS.

We also need to install the PhantomJS server. This link will take you through the steps if you are using Windows. You can try phantomjs --version to ensure it is working. Before running the Intruder attack you need to start phantomjs with the xss.js script (wherever you have placed it).
6. Start The Attack
Now we just start the Intruder attack, a pane should open and any positive results will be marked in the checkbox next to the “

Burp Xss Validator 10

fy7sdufsuidfhuisdf” flag. It has returned four occurrences of XSS that have executed.
If you check the phantomjs server you should see the alerts displayed:

Burp Xss Validator 3

If you want to verify the XSS finding, simply right click the specific payload, and select navigate to request in browser -> original session

Xss Validator Burp Extension

This is a really useful burpsuite extension that adds extra validation to automated scanning and will become even better with the increase of payloads. This post follows the steps outlined by the creator of xssValidator (John Poulin) here