This extension sends responses to a locally-running XSS-Detector server, powered by either Phantom.js and/or Slimer.js
The XSS Validator from Nvisium solves this problem by using phantomjs to set up a server that receives and verifies XSS findings exported from the Burp Suite interface. It’s a must for testing a target with a large attack surface and a valuable addition to the Burp Suite core.
Before starting an attack it is necessary to start the XSS-Detector servers. Navigate to the xss-detector directory and execute the following:
$ phantomjs xss.js &
$ slimerjs slimer.js &
The server will listen by default on port 8093. The server is expecting base64 encoded page responses passed via the http-response, which will be passed via the Burp extender.
Navigate to the xssValidator tab, and copy the value for Grep Phrase. Enter this value within the Burp Intruder grep-match function. Payloads that match this Grep Phrase indicate successful execution of XSS payload.
Within the xss-detector directory there is a folder of examples which can be used to test the extenders functionality.
- Bypass-regex.php: This demonstrates a XSS vulnerability that occurs when users attempt to filter input by running it through a single-pass regex.
Requires Java version 7
|Last updated||25 January 2017|
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
|You can view the source code for this BApp by visiting our GitHub page.|
|Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.|
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.In this post I want to share a very cool BurpSuite extension called xssValidator. When you are faced with a large application to test it is impossible to check all input fields manually right?. We must rely on some kind of automation to ensure that we have covered the whole application surface. The problem with automated scanning is that it can result in a good proportion of false positives.
1. Cross-Site Scripting
One of the major vulnerabilities you will come across is Cross-Site Scripting or XSS. These type of flaws occur when an application takes untrusted data and sends it to the browser without proper validation. This could allow attackers to inject scripts into the victims browser causing web defacement, session hijacking etc. As you can imagine checking for a hundred or more XSS flaws manually is not much fun.
There are three requirements for using xssValidator:
- Java 7.0 or higher installed
- BurpSuite - Pro or Free (I used the free version and it worked fine)
3. Installing The Extension
The first thing we need to do is download the extender here. Next we need to install it in Burp:
Navigate to the extender tab at the top. Click on the add button, ensure extension type is Java and select the location of the JAR file:
Xss Validator Burp Suite
When you click next you should see the screen below. If it has installed correctly there should be no errors in the output below.