Fuzzing with XSS validator in Burp suite

We are familiar with Burp suite and it offers a wide variety of options for web application security testing. This article for setting up XSS validator burp extension, and fuzzing for Cross site scripting vulnerabilities.
Someone asked me to help them with xss fuzzing for a certain field. This one was the easiest solution if you are after automated testing scenarios. I wanted to document it so that it would also help some other people. 🙂

Step 1: Lets install XSS validator plugin from “Extender” tab -> BApp store
Or you could download and install the extensions manually from PortSwigger website.
1

 

Step 2: We need an XSS detection server to validate the the chances of Cross site scripting. Download XSS validator from https://github.com/PortSwigger/xss-validator and extract the contents to a local folder.

To start the detection server we need Phantomjs. It can be downloaded  from http://phantomjs.org/download.html  Download it and extract it to the “xss-detector” directory. (refer Img 2:) We can use phantomjs for both Windows and Linux. As I was using Burp for Windows, i have downloaded the Windows version here.
Contents of “xss-detector” directory:
4
We could also use SlimerJS for the XSS detection server. It can be downloaded from https://slimerjs.org/download.html

Step 3: Now navigate to your xss-detector directory via command line, and start xss.js using phantomjs
5
Step 4: Go to your burp window. navigate to XSS validator tab. You can use either the default Grep phrase or a new one.  Its used to detect xss using the detection server.  Here i have used “Tester102_phrase” as the Grep phrase.  Also Jscript functions and event handlers can be altered.

6

 

Step 5: Open our  target web application and intercept the request in burp; and send the intercepted request to intruder.
For this demonstration i have used http://demo.testfire.net/
7
9

Step 6: Clear all other parameters and Add only required parameter for testing. In this case “test+input”
10

Step 7: Go to payloads tab; Set the Payload type as “Extension-generated”
11

Step 8: Click on “Select Generator” button, and select the Extension payload generator as “XSS validator Payloads”
12

Step 9 : Click on the “Add” button in “Payload Processing” area; set the payload processing rule as “Invoke Burp Extension”; Select processor as “XSS Validator”
13

Step 10: Navigate to the “Options” tab; On the “Grep-Match” option, clear all the items from the list. Add the unique Grep match code from XSS validator window
15

Step 11: Click on “Start attack”
16

 

Step 12: The scan has started and, as u can see in the screenshot, for some payloads we got a Grep match for our phrase; Which indicates presence of Cross site scripting vulnerability.
17

You can open that matched payload from the list and try to replicate it in the browser.

18

Here comes our jscript alert box!!! 🙂
19