Burp Suite and XSS Validator
One problem with automated and semi-automated solutions for XSS is distinguishing signal from noise. To do that, a useful Burp plugin, XSS Validator, runs a PhantomJS-powered web server to receive the results of Burp queries and looks for a string injected into the alert() call embedded within the applied XSS snippets. It provides a clean way of culling the results of your XSS submissions to absolute confirmed vulnerabilities.
The easiest way to download the XSS Validator Burp extension is through the Bapp store. Just navigate to the store from the Extension tab within Burp Suite and select the extension from the marketplace (needless to say, it's free). You can also install the extension manually by following the instructions in the XSS Validator GitHub documentation.
In addition to installing the extension, during your actual testing, you'll need to run the server parsing incoming Burp requests. If you clone the XSS Validator git repo, you can navigate to the xss-validator directory and start the xss.js script. You can then bootstrap the server and set it to run as a detached background process in one easy line:
phantomjs xss.js &
With the XSS Validator server and Burp Suite running (boostrap_burp), navigate to the specific form input you'd like to test for XSS. As a way of demonstrating the tool on a proven testing ground, we're going to test a form input on the Web Scanner Test Site (webscantest.com) that's been designed to be susceptible to XSS:
After arriving on the page – with our Burp Proxy Intercept feature turned off so that we don't have to manually forward all the traffic on the way there – we enter something recognizable into the form fields we're testing:
Now we want to navigate back to our Burp Suite GUI and turn Intercept back on before we submit:
Now when we submit, you should see the browser favicon indicate a submission without anything changing on the form. If you go back to Burp, you'll see you've intercepted the form's POST request (note that if you have other tabs open, you might see that the Burp proxy has intercepted requests from those pages, and has to forward them):
We want to send this request over to the Burp intruder feature, where we can do more to manipulate the POST data. To do that, right-click on the request and click Send to Intruder:
Once you're at the Intruder window, go to the Positions tab where you can see the POST request parameters and cookie IDs already selected as Payload Positions. Let's go ahead and leave these defaults and move over to the Payloads tab to choose what we'll be filling these input with. In order to integrate with the XSS Validator extension, we need to make changes to these first three payload-related settings, as follows: