Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Exploiting XSS - Injecting into Scriptable Contexts

In our article "Exploiting XSS - Injecting in to Direct HTML" we started to explore the concept of exploiting XSS in various contexts by identifying the syntactic context of the response. In this article we demonstrate some methods of modifying your input when injecting into various scriptable contexts.

Script

Suppose that after inputting a benign string (asdfghjkl) to each entry point in an application, the returned page contains a variation on the following:

<script>var a ='asdfghjkl'; var b = 123; </script>

Here, the input you control is being inserted directly into a quoted string within an existing script. To craft an exploit, you could terminate the quotation marks around your string, terminate the statement with a semicolon, and then proceed to your desired JavaScript:

'; alert(document.domain); var foo='

In the example we are injecting into double quotes, and so use the following payload (note that spaces are URL-encoded within the payload using the + character):

";+alert)document.domain);+var+foo="

Finally, check that the payload appears as expected in the response.

You can then use Burp's "Request in browser" function" to test the response in your browser.

Testing Reflections in a Tag Attribute Containing a URL

Suppose that after inputting a benign string (asdfghjkl) to each entry point in an application, the returned page contains the following:

<a href="asdfghjkl">Click here ...</a>

 

 

 

 

Here the string you control is being inserted into the href attribute of an <a> tag. In this context, and in many others in which attributes may contain URLs, you can use the javascript: protocol to introduce script directly within the URL attribute:

javascript:alert(1);

In this example we have had to URL-encode the colon and add a double forward slash to comment out the remainder of the script.

Check that the payload appears unmodified in the response, before testing the exploit in your browser.

You can use Burp's "Request in browser" function to perform this check.

 

Here we can see a portion of the payload in the browser's URL display and the POC for our exploit.

It is also worth noting that in this example, the payload will fire when the "Back to album" button is clicked via the application's "Navigation" console. You can observe in the screenshot above that the link is labeled "Back to album" in the response.