Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All
Documentation

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite
Extensibility

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

XSS Filters: Beating Length Limits Using Shortened Payloads

The most obvious method when attempting to beat a filter that truncates your input to a fixed maximum length is to shorten your attack payload by using JavaScript APIs with the shortest possible length and removing characters that are usually included but are strictly unnecessary.

Another technique to shorten the length of your payload is to use the window.name window property. This technique effectively allows you to 'bootstrap' a much larger JavaScript payload. An attacker can exploit the behavior of window.name by using any website under his control to store a large JavaScript payload.

The example uses a version of the "Magical Code Injection Rainbow" taken from OWASP’s Broken Web Application Project. Find out how to download, install and use this project.

Using the XSS vulnerability on the target site, the attacker's payload can be executed using:

eval(window.name)

This can be shortened further to:

eval(name)

 

 

We have used example.com to demonstrate the basic mechanics of this technique.

The payload is inserted in to the window.name attribute of the site under the control of the attacker.

 

 

When the victim uses the same browser tab to view the vulnerable website, the payload will remain accessible via window.name.

In practice, this technique is most likely exploited through the use of a hidden iframe which sets the payload from the attacker's site and then automatically redirects the iframed window to the vulnerable page on the target site.