How to easily find Reflected XSS vulnerabilities!

Hello everybody!

In this blog post, I want to teach you a simple method to easily find Reflected XSS vulnerabilities. We only need BurpSuite (Pro) with “Reflected Parameters” (This extension needed BurpSuite Pro — You can find free ones on Github: https://github.com/elkokc/reflector) and “XSS Validator”.

1. Open Burpsuite Pro and go to “Extender => BApp Store” and install “Reflected Parameters”

Reflected Parameter Extension

2. In “Extender => BApp Store” install “XSS Validator”

XSS Validator Extension

3. Download “xss-detector” from the following link: https://github.com/PortSwigger/xss-validator

4. Download “PhantomJS” from the following link: https://phantomjs.org/download.html

5. Put “phantomjs.exe” in the “xss-detector” directory and open PowerShell (Terminal) in the “xss-detector” directory.

6. Execute the following command: “phantomjs.exe xss.js”

XSS detector

7. Now open your target website and Spider the target. (Or manually explore the web application and enter a random string in all inputs — up to 3 chars)(I used a sample website: http://testphp.vulnweb.com/)

Web Application Spidering

8. While Spider works, go to the “Reflection” tab and now you can see reflected values.

Reflected values in Reflection tab

9. Select one of the requests and send it to Intruder.

Send a request to Intruder

10. In “Intruder => Positions” choose reflected value for payload testing.

Select Payloads position

11. In “Intruder => Payloads => Payload Sets => Payload type” choose “Extension-generated” and in “Payload Options” click on “Select generator” and choose “XSS Validator Payloads”.

XSS Validator payloads

12. In “Intruder => Payloads => Payload Processing” click on “Add” and choose “Invoke Burp extension” and finally choose “XSS Validator”

Payload Processing — XSS Validator

13. Go to “xssValidator” tab and copy “Grep Phrase” string.

Grep Phrase

14. Go to “Intruder => Options” in “Grep — Match” clear all expressions and use “Paste” to paste copied string.

Add String to Grep — Match

15. Click on “Start attack”!

16. In the “Intruder attack” window there is a column named with copied string in step 13. Every request with a checkmark in this column is valid XSS vulnerability. (I hope it will be!:D)

Valid XSS vulnerabilities

17. right-click on the request and choose “show response in browser” and then paste in the browser address bar, and finally press Enter! pop up!

Valid XSS!

Please refer to the video tutorial for any further explanation!

Good Luck.

My twitter account : https://twitter.com/rrubymann