Installing XSS Validator
Hey there! The easiest way to get the XSS Validator plugin is to install it from the Bapp Store by navigating to the “Extender” tab and then the “Bapp Store” submenu. Click the “Install” button and let Bapp do the work.
If you face any issue installing straight from the store, you can also install it manually by downloading the jar file from either its Github and selecting it from the “Manual Install” file uploader option at left bottom.
Whichever way you install the Burp Extension, you’ll also need to setup the Phantomjs server locally so that it can receive and parse incoming XSS tests.
Phantomjs Setup
Download Phantomjs server from here and make it a globally-available by setting Environment variables . After the phantomjs configuration you should see the below screen when executing the phantomjs command in cmd/powershell.
Configuration and Execution
Clone the Github repo and navigate to the xss-validator
directory and bootstrap the server with phantomjs xss.js &
(The &
sets the command as a background process).
Now you’re all set for working with XSS-Validator.
First, Capture the request in Burp and send it to Burp Intruder. Select the inputs you’d like to test your XSS payloads. Also, in order to integrate with the XSS Validator extension, we need to make changes to the first three payload-related settings.
Set Payload type as Extension-generated from the drop down. Then Add Invoke Burp extension XSS Validator and Enable the rule.
Then, Copy the Grep Phrase from XSS Validator tab:
and navigate to intruder > Grep-Match and add it in list. Leave everything else as default and start attack.
Now you’re all set. Go find those XSS bugs.
Happy Hacking!
Twitter: https://twitter.com/_seecko