Unsanitized Data – An XSS Case Study                                 Chapter 4

            The easiest way to download the XSS Validator Burp extension is through the Bapp store.
            Just navigate to the store from the Extension tab within Burp Suite and select the extension
            from the marketplace (needless to say, it's free). You can also install the extension manually
            by following the instructions in the XSS Validator GitHub documentation.

            In addition to installing the extension, during your actual testing, you'll need to run the
            server parsing incoming Burp requests. If you clone the XSS Validator git repo, you can
            navigate to the YTT WBMJEBUPS directory and start the YTT KT script. You can then
            bootstrap the server and set it to run as a detached background process in one easy line:

                QIBOUPNKT YTT KT

            With the XSS Validator server and Burp Suite running (CPPTUSBQ@CVSQ), navigate to the
            specific form input you'd like to test for XSS. As a way of demonstrating the tool on a
            proven testing ground, we're going to test a form input on the Web Scanner Test Site
            (XFCTDBOUFTU DPN) that's been designed to be susceptible to XSS:































            After arriving on the page d with our Burp Proxy Intercept feature turned off so that we
            don't have to manually forward all the traffic on the way there d we enter something
            recognizable into the form fields we're testing:






                                                    [ 58 ]