I’ve been getting a few false positives from Burp recently. Just want to make sure I’m not missing something obvious as XSS is not my strongest suit.
Most of the time it appears when you load a web application that has a lot of scripts and one of the scripts will be in the form GET /emailcheck/v1/email?portalId=425470&callback=blah
and if I intercept this request and change blah into alert(document.domain)
the alert appears and you get the main application’s domain since the JSONP response is directly loaded into a javascript context within the main app. Is this considered XSSI or reflected self XSS? Most people use these jsonp callbacks to bypass CSP’s but I’m not sure if there is a different valid reflected XSS application of the bug.
As a side note it doesn’t work at the get request itself because the response is not in html format but rather application json so browser doesn’t execute javascript in that context and > < etc are escaped.