Practical stored XSS Example using Burp Suite

From Embedded Lab Vienna for IoT & Security
Revision as of 11:24, 8 January 2023 by RHaidl (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


This practical guide shows how to execute a stored XSS exploit using burp suite.


In order to complete these steps, you must have followed the readme [1] before.



Step 1

Open Burp Suite, navigate to Proxy -> Intercept and make sure to turn Intercept on.

turn on intercept

Step 2

Click on "Open Browser" in order to open the integrated Burp Suite browser. Once the browser started (it takes a while), open the add-entry.html file in it.

Step 3

As the interceptor is turned on, all requests from the client to the server are intercepted. All requests need to be forwarded, til the website has loaded completely. (Click on Forward) intercepted request

Step 4

Once the website has loaded, fill out the form with data and submit it. Now you can see, that the client sends a POST request to the backend with the content of the form in JSON format.

intercepted POST request

Step 5

As the transmitted data in the POST request is not validated on server side, you can change a parameter of the JSON to arbitrary JavaScript code.

In this tutorial we change the 'description' parameter to the following JavaScript code

<script>alert('XSS Code Injection')</script>

and then forward the request.

modified POST request

Step 6

Once you submitted the form and forwarded the request to the server you need to either turn off the Interceptor because you have already sent the malicious code to the server (where it has been saved to the database) or forward all requests. After that you will be automatically redirected to the show-entry.html file where the malicious code is loaded from the server (DB) and executed on the client browser.

javascript code is executed