Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

XSS validator not working

Xavier | Last updated: Nov 01, 2015 05:16PM UTC

I am having some issues running the XSS validator on Burp (version 1.6.30). I can load the XSS validator, without any errors. The problem happens under Intruder, after I select the positions / payloads / selecting the generator, and so on. When I hit "Start attack", a window opens, but the attack does not start. It is as if the payloads are not loaded, or the XSS validator is not working. I was able to run phantomjs and slimerjs, and they are both listening on their respective ports. I updated Java to the latest version available. Once I unselect (or unload) the XSS validator from the Extender tab, I can launch any attack under Intruder, for example, with a typical "Simple list" payload, the attack works fine.

PortSwigger Agent | Last updated: Nov 02, 2015 10:02AM UTC

Thanks for this post. BApps are created by third parties and we're not able to provide support for issues with BApps, sorry.

Burp User | Last updated: Nov 07, 2015 02:16AM UTC

I noticed this as well but I got it working on Windows 7. Here's how: 1. Download Apache Ant: http://apache.mirrors.pair.com/ant/binaries/apache-ant-1.9.6-bin.zip 2. Download Apache HttpComponents Client libraries: http://mirror.olnevhost.net/pub/apache//httpcomponents/httpclient/binary/httpcomponents-client-4.5.1-bin.zip 3. Download the latest version of xssValidator from GitHub: https://github.com/nVisium/xssValidator 4. Within the xssValidator directory on your local PC, edit the "/burp-extender/bin/burp/build.xml" file and replace the hard coded version numbers with the latest in httpcomponents-client-4.5.1 (as of 11/6/15 it would be this) <path id="burp-extender.classpath"> <pathelement location="."/> <pathelement location="../../lib/commons-codec-1.9.jar"/> <pathelement location="../../lib/commons-logging-1.2.jar"/> <pathelement location="../../lib/fluent-hc-4.5.1.jar"/> <pathelement location="../../lib/httpclient-4.5.1.jar"/> <pathelement location="../../lib/httpclient-cache-4.5.1.jar"/> <pathelement location="../../lib/httpcore-4.4.3.jar"/> <pathelement location="../../lib/httpmime-4.5.1.jar"/> 5. Extract the httpcomponents-client-4.5.1-bin.zip and copy the /lib directory to /path/to/xssValidator/burp-extender/lib/ 6. Install Apache Ant http://www.mkyong.com/ant/how-to-install-apache-ant-on-windows/ 7. Finally go to the xssValidator/burp-extender/bin/burp directory and run type ant to start the build. When complete, a new xssvalidator.java file will be created in that directory. Just import that into Burp manually. 8. Download PhantomJS 2.0 https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.0.0-windows.zip 9. Run "phantomjs.exe C:\xssValidator\xss-detector\xss.js" 10. Follow the rest of the steps here http://thehackpot.blogspot.com/2014/05/eliminating-automated-xss-false.html Should be working now. There is a bug in the latest version with 302 redirects - the plugin doesn't know how to handle those correctly but it works great for straight fuzzing on a normal request! Good luck!

Burp User | Last updated: Oct 05, 2017 08:32PM UTC

Hello, I know there is no support for third party apps I have been using the jar file, so I can find xssValidator/burp-extender/bin/burp directory

Rajesh | Last updated: Nov 14, 2021 03:11AM UTC

I am trying xssvalidator extension with PhanthomJS in windows10 machine. After setting up, I run the below command in the windows prompt: phantomjs.exe xss.js It runs. When I try to open the browser & launch this URL, I get an error saying "This site can’t be reached" http://127.0.0.1:8093/ Since phantomJS Support isnt there anymore. Want to know if this extension holds good or am I missing something

Hannah, PortSwigger Agent | Last updated: Nov 17, 2021 01:14PM UTC

Hi We are currently considering the removal of this extension from the BApp Store, as it relies on external dependencies and there is no longer any support for SlimerJS or PhantomJS. There was a user who successfully got this extension working on Windows in September. However, we don't have any further details than that.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.