Accurate XSS Detection with BurpSuite and PhantomJS
Edit: You can see a video on how to leverage this tool (above) or visit our YouTube page - here.
Ensure that the extension type is Java, then click the Select file button and browse to the location of the xssValidator.jar file.
Click add then a window should appear. Ensure that there are no errors by clicking on the errors tab. If errors occurred it is likely that the .jar file isn’t compatible with your version of Java. Ensure that you’re running Java 7. If the error persists reach out to us and let us help you!
After adding the extender, you should see it appear on the Burp extender panel, as seen below.
Create a new Intruder attack for the target request. Define the targets as you normally would, and navigate to the Payloads tab. Select the payload type of extension-generated, as seen below.
Click the Select Generator, and then select the XSS Validator Payloads payload generator.
Click the add button under Payload Processing, and select Invoke Burp Extension from the dropdown menu. Select the XSS Validator processor, and click ok.
Define the Payload positions, if you haven’t already. In the example we’re using, the xsstest.php file has a XSS vulnerable GET parameter, test. We define that as our target parameter, as seen below:
Under the options tab, browse down to the Grep – Match section, and enter the string “ fy7sdufsuidfhuisdf ”. This string is returned by the Burp Extender if the payload successfully triggers an XSS.
Start the PhantomJS server, prior to launching the attack, by changing into the xss-detector directory and executing “phantomjs xss.js”. After executing the command, the server will be listening.
Switch back over to the Burp Intruder Attack, and launch. Payloads that successfully trigger an XSS attack will be noted by the presence of the “ fy7sdufsuidfhuisdf ” flag, as seen below.
If you want to verify the XSS finding, simply right click the specific payload, and select navigate to request in browser -> original session.
At this point, you’re probably wondering, what’s next? Well, there’s a whole bunch of stuff that’s on the roadmap:
Testing for false positives – we need to test a bit more extensively to ensure that the phantomJS server isn’t reporting false positives. As of this post, we have yet to see one.
Automatically adding detection column – we know that it’s a bit annoying to add such an odd string (fy7sdufsuidfhuisdf) to the Intruder grep option. This was just a hack until we could figure out a better way of reporting. We want automate this by automatically adding a new tab to the attack window that will mark positive findings, without using this string.
More payloads – this tool will really only be effective with a comprehensive, and growing list of payloads. The current payloads were inspired by RSnake’s XSS Filter Evasion Cheat Sheet.
If you’re looking to get involved, please check out our git repository: https://github.com/nVisium/xssValidator.