We are familiar with Burp suite and it offers a wide variety of options for web application security testing. This article for setting up XSS validator burp extension, and fuzzing for Cross site scripting vulnerabilities.
Someone asked me to help them with xss fuzzing for a certain field. This one was the easiest solution if you are after automated testing scenarios. I wanted to document it so that it would also help some other people. 🙂
Step 2: We need an XSS detection server to validate the the chances of Cross site scripting. Download XSS validator from https://github.com/PortSwigger/xss-validator and extract the contents to a local folder.
To start the detection server we need Phantomjs. It can be downloaded from http://phantomjs.org/download.html Download it and extract it to the “xss-detector” directory. (refer Img 2:) We can use phantomjs for both Windows and Linux. As I was using Burp for Windows, i have downloaded the Windows version here.
Contents of “xss-detector” directory:
We could also use SlimerJS for the XSS detection server. It can be downloaded from https://slimerjs.org/download.html
Step 3: Now navigate to your xss-detector directory via command line, and start xss.js using phantomjs
Step 4: Go to your burp window. navigate to XSS validator tab. You can use either the default Grep phrase or a new one. Its used to detect xss using the detection server. Here i have used “Tester102_phrase” as the Grep phrase. Also Jscript functions and event handlers can be altered.
You can open that matched payload from the list and try to replicate it in the browser.