Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

XSS Filters: Beating Length Limits Using Spanned Payloads

A powerful technique for beating length limits is to span an attack payload across multiple different locations where user-controllable input is inserted into the same returned page.

The example uses Hackxor, a web application hacking game.

Consider the following form. Clicking the 'Submit data' button returns a page containing the following:

<input type='hidden' id='hash' name='hash' type='text' value=''>

<input name='text' id='text' value='aaaa'>

<input id='img' name='img' type='text' value='bbbb'>

<input id='sound' name='sound' type='text' value='cccc'>

We can see our input reflected. Additionally, the hidden input field hash is reflected in the response.

However, the input fields are restricted to a length limit of 10.

Our payload is being truncated.

Regardless, we can still deliver a working exploit by spanning our payload across the four available input fields. Using JavaScript comments we can make our the browser ignore the chunks of source code that would otherwise separate our payload.





We have used a single line comment to remove the source code between img and sound inputs. This allows us to use a ten byte payload: ;</script>.


Here we can see our modified payload in the response and the effect of the JavaScript comments on the source code.


Finally, we can reload the page in our browser to confirm that our payload fires.