in this blog, I will show you how you can use a proxy to perform the XSS attack or automate the XSS attack at some level, to get started with this you will need a proxy you can either use BurpSuite or owasp zap. both are very good. Burp suite comes with both free and paid version if you are experienced and have hacking knowledge than its good to purchase the paid version called burp suite pro. owasp zap proxy is free so you can use it without paying but for this, I will show you Burp suite. Burp is more popular and it's more user-friendly.

How to setup Burp proxy with HTTP and HTTPS 


if you are using any OS for pentester like Kali Linux or parrot security burp free version will be preinstalled. if you are using windows, mac or any other Linux based os you can download the free version from here.

Once you have Burp suite installed open it and you will see all the options click on the proxy and turn off the intercept by default every time you open the burp suite intercept option will be turned on.

Once you do that click on options (highlighted part in image) you will see the port number and IP address proxy is running on by default it will be on localhost 127.0.0.1 with port 8080 you can change it from here but for now, keep it as is it.


Now proxy is running the only thing you have to is configure your browser to use this proxy and set up a certificate so you can see https request also. Now open your browser click on the browser setting depending on the browser you are using and find the proxy setting, and click on it, it will show you the proxy options
Chrome browser proxy option.
Firefox browser proxy option

Now click on manual proxy enter the Proxy address and port number depending on the changes you have done in your burp suite proxy. if you have a default setting in your burp suite with localhost 8080 port then enter it and check to Use this proxy server for all protocols.


You can cross-check with the image above. and click the okay button now the proxy setup is done now every request from your browser will go to the burp suite and from burp suite, you can do anything you want. the only thing is your browser will not send the https request to allow your browser to send encrypted https request to the burp suite you will need to install a burp suite certificate.

To set up the certificate make sure you are connected with proxy with the above methods, once you are, open a link in your browser http://burp and hit enter and click on CA Certificate and it will install a certification for you.




How to install the certificate on Firefox


Once you install the certificate go to the browser setting and find a certificate setting and click on view certificate and click Authorities then click on import and select the certificate you installed and you will see the certificate make sure you select both the option

  • Trust this CA to identify the website
  • Trust this CA to identify email users 




and click okay and save and now you will be able to see the HTTPS request you check it with:

open burp suite and turn on the intercept and with your browser go to any https website like facebook.com and you will see and request in your burp suite you can modify it and click forward option.


How to install the certificate on Google Chrome


Open your browser setting and search manage certificate ---> click on it --->
 click Authorities ---->click import ----> select the certificate you have installed ----> check all the three options ----> click okay.






Now, all set let's began XSS attack with burp suite. Before we start let me give you one reason why proxy is useful.

A proxy can be used to bypass the client-side validation. What is client-side validation?

Take a real-world example when you create a new account in a website and in the mobile number you enter your name or anything except for your number and it shows an error invalid number or something, thing is you have on click on submit button and your request is not sent to the server still it shows error for the wrong number it's a client-side validation. 

it's mostly a javascript code which checks your input. for example, if the code is something like:
check-in mobile number field its number only and if yes it's valid else show the error for the wrong number. 

you can bypass if you turn off javascript from your browser setting but you will lose some website features and for XSS you are dealing with javascript only so it's not a good idea to turn off javascript to bypass it.

but with proxy, you will enter the mobile number client-side validate it and approve it and in proxy, you can modify it before it sent to the server. now that's not the only reason why proxy is used.


XSS With Burp-Suite

To test XSS with Burp we need a vulnerable site, to show how to use burp I am using ziem XSS challenge 1 you can see this from here.

Make sure burp suite proxy is working and intercept is on now when you click on level 1 your request will go to the burp suite. open your burp suite and the request will look like this:


If you don't know about anything about this request you can check the previous blog on HTTP headers. you can see two option at to forward and Drop:
  • Forward to send request to the server.
  • Drop will drop the request and won't send it to the server.


Below you can see all the HTTP, as you can see it's a GET request that means you can see the request in URL without proxy but within proxy, you can modify the request.

Click on the request side and remove name=zxm with name=hello and click Forward
Now go to the browser you will see hello instead of zxm it's a very basic way to modify request from the proxy.

*click forward for other requests if you have other websites running.*

Now, this is not the best way if you are testing something with proxy, Burp suite gives you an option called REPEATER. Which let you send the same request again and again manually. in the above use of intercept you have forward the request and if you want to change something in the request then you have again go to your browser and have to intercept the request and then only you can change it.

go to your browser load the same page again then go to the burp suite proxy and this time instead of modifying the request and forward it:
right-click on the request and click send to REPEATER (or ctrl+R )and click repeater tab and you will your request in the repeater.


from here you can send soo many requests by modifying it, to solve this challenge change the parameter the best thing about burp-suite you can see zxm and cookie value is in a different colour that means burp-suite automatically detect that these are parameter and can be changed by us.

Now to test for XSS add your payload after the zxm parameter.
payload : "><script>alert('1')</script>

 your request should look like this:



Click send and you will see the response in response now again right-click on the response side click show response in browser & copy the link and paste it in the browser. if you see a popup then you are successfully able to add your js payload. this is how BURP-SUITE REPEATER works. it's not only for XSS you can use the same way for other attacks too. Burp-suite is a long topic if you are interested in it ping me or comment down, I will try for this topic.


BURP SUITE AUTOMATION

Now burp suite lets you do automation all your work with the help of intruder tab. the again same way we did above right click on the HTTP request and click send to the intruder ( or CTRL +I ) now click on intruder tab


 
Now target will be automatically set click on the position (select the part which you want to test for automation) in position click clear from the right side because burp suite automatically selects the part for automation testing. Select zxm and click add option from the right side and it will select it for the automation.


Now click on the payload option here you have to select the payloads which burp suite do automation for that you need a text file full of XSS payloads. you can download the payload list from here. we need to add our list in payload options [simple list] click on load and select the text file you have downloaded and click start attack





Now double click on Lenght and burp suite will show you the response of your request with a high size, response with the highest length has changes of our payload execute.

Click on any request with high length and right click and click show response in the browser and paste the link in your browser and see if your payload gets to execute or not.


  • automation is not the best approach in real-world and if you do automation for any random website or any site with bug bounty program automation is not allowed for most of them.
  • burp suite free is slow for automation you will a pro version for that. 

TELEGRAM GROUP for your discussion You can join our telegram channel for free ebooks and other updates. You can follow us on Twitter and Instagram.
Share it.