From the OWASP Mutilliae II menu, select Login by navigating to OWASP 2013 | A3 - Cross Site Scripting (XSS) | Reflected (First Order) | Pen Test Tool Lookup:
Select a tool from the drop-down listing and click the Lookup Tool button. Any value from the drop-down list will work for this recipe:
Switch to Burp Proxy | HTTP history and find the HTTP message you just created by selecting the lookup tool. Note that in the request is a parameter called ToolID. In the following example, the value is 16:
Flip over to the Response tab and note the JSON returned from the request. You can find the JavaScript function in the response more easily by typing PenTest in the search box at the bottom. Note that the tool_id is reflected in a response parameter called toolIDRequested. This may be an attack vector for XSS:
Send the request over to Repeater. Add an XSS payload within the ToolID parameter immediately following the number. Use a simple payload such as <script>alert(1);</script>:
Click Go and examine the returned JSON response, searching for PenTest. Notice our payload is returned exactly as inputted. It looks like the developer is not sanitizing any of the input data before using it. Let's exploit the flaw:
Since we are working with JSON instead of HTML, we will need to adjust the payload to match the structure of the JSON returned. We will fool the JSON into thinking the payload is legitimate. We will modify the original <script>alert(1);</script> payload to "}} )%3balert(1)%3b// instead.
Switch to the Burp Proxy | Intercept tab. Turn Interceptor on with the button Intercept is on.
Return to Firefox, select another tool from the drop-down list, and click the Lookup Toolbutton.
While Proxy | Interceptor has the request paused, insert the new payload of "}} )%3balert(1)%3b// immediately after the Tool ID number:
Click the Forward button. Turn Interceptor off by toggling to Intercept is off.
Return to the Firefox browser and see the pop-up alert box displayed. You've successfully shown a proof of concept (PoC) for the reflected XSS vulnerability:
