Listen to this Post

Introduction
Reflected Cross‑Site Scripting (RXSS) remains one of the most frequently exploited web vulnerabilities, yet it can be surprisingly difficult to detect when traditional scanning methods fail. In a recent real‑world case, a bug hunter discovered an RXSS that evaded all automated checks, only revealing itself through a combination of Burp Suite’s manual testing capabilities and a deep dive into the application’s JavaScript code. This article dissects that approach, providing a hands‑on guide to uncovering similar elusive flaws and reinforcing why JavaScript fluency is indispensable for modern security testing.
Learning Objectives
- Understand the limitations of automated scanners and the critical role of manual testing for RXSS.
- Learn to leverage Burp Suite’s advanced features—Repeater, Intruder, and extensions—to craft and test context‑aware payloads.
- Develop the skills to analyse JavaScript files for injection points and exploit DOM‑based XSS vectors.
You Should Know
- The Challenge of Finding Reflected XSS in Modern Web Apps
The bug hunter’s post emphasises that the RXSS could not be found “in a normal way.” Traditional vulnerability scanners often rely on generic payloads and simple reflections, but modern web applications employ input validation, output encoding, and client‑side frameworks that break these patterns. The key insight was to look inside JavaScript—where user input might be dynamically incorporated into the DOM or processed by event handlers. This section expands on why JavaScript is a goldmine for XSS and how to start your investigation.
Step‑by‑step guide
- Map the application using Burp Suite’s Spider or by manually browsing while recording traffic.
- Identify all parameters that accept user input (GET/POST, cookies, headers).
- Test for basic reflection by injecting a unique string (e.g.,
rxss_test_123) into each parameter and checking the response for its presence. - Use Burp Repeater to quickly modify and resend requests. For example, send a request with `?search=` and examine the HTML response for unencoded output.
- If no obvious reflection appears, shift focus to JavaScript files. Download all `.js` files linked in the page (or use `curl` to fetch them):
curl -s https://target.com/app.js | grep -i "document.write|innerHTML|eval|location"
2. Analysing JavaScript for Hidden XSS Vectors
JavaScript often contains the logic that processes URL parameters, hash fragments, or even data from `localStorage` and inserts them into the DOM. A single unsafe sink can turn a benign parameter into a reflected XSS vector.
Step‑by‑step guide
- Open the browser’s Developer Tools (F12) and navigate to the Sources tab. Locate all JavaScript files loaded by the page.
- Search for dangerous functions such as
innerHTML,outerHTML,document.write(),eval(), `setTimeout()` with string arguments, and jQuery methods likehtml(),append(), or `$()` used with variables. - Trace the data flow: Use the debugger to set breakpoints where these functions are called. Then, trigger the functionality (e.g., by submitting a form) and inspect the call stack to see if user‑controlled input reaches the sink.
4. Example vulnerable pattern:
var user = location.hash.substring(1);
document.getElementById('greeting').innerHTML = user;
Here, the fragment part of the URL (...) is directly inserted into the DOM. A payload like `` would execute.
3. Advanced Burp Suite Configuration for XSS Hunting
Burp Suite offers a rich set of tools to automate and refine XSS testing. Beyond basic Repeater, its Intruder and extensions can help discover reflections that manual inspection might miss.
Step‑by‑step guide
- Install the “XSS Validator” extension from the BApp Store. It automatically tests each insertion point with a set of payloads and reports successful reflections.
2. Configure Intruder for parameter fuzzing:
- Send a request to Intruder, mark the parameter you want to test.
- Load a comprehensive XSS payload list (e.g., from PayloadsAllTheThings).
- In the Payloads tab, enable Payload encoding and optionally add Payload processing rules to try URL‑encoded, HTML‑encoded, or double‑encoded variants.
- Use Burp’s Comparer to quickly spot differences between responses. After running Intruder, look for responses where the payload was reflected without encoding.
- Leverage “Burp Bounty” (a Pro‑level extension) to create custom scan checks that mimic manual JavaScript analysis, such as detecting DOM‑based XSS patterns.
4. Crafting Context‑Aware XSS Payloads
A payload that works in one context may fail in another because of filters, encoding, or the surrounding code. Understanding the injection context is vital.
Step‑by‑step guide
- Determine the context by examining where the input lands:
– Between HTML tags: `