How to do it...

The following steps demonstrate the XSS Validator:

  1. We open up Burp and switch to the Extender tab:
  1. We then install the XSS Validator extender:
  1. Once the installation is done, we will see a new tab in the Burp window titled xssValidator:
  1. Next, we install PhantomJS and SlimerJS; this can be done on Kali with a few simple commands.
  2. We download both the PhantomJS file from the internet using wget: 
        sudo wget https://bitbucket.org/ariya/phantomjs/downloads/
        phantomjs-1.9.8-linux-x86_64.tar.bz2
  1. We extract it using the following command:
        tar jxvf phantomjs-1.9.8-linux-x86_64.tar.bz2

The following screenshot shows the folder in which the preceding command downloads the PhantomJS file:

  1. Now we can browse the folder using cd, and the easiest way is to copy the PhantomJS executable to /usr/bin: 
        cp phantomjs /usr/local/bin

The following screenshot shows the output of the preceding command:

  1. To verify that we can type the phantomjs -v command in the Terminal and it will show us the version.
  2. Similarly, to install SlimerJS we download it from the official website:
    http://slimerjs.org/download.html.
  3. We first install the dependencies using the following command:
        sudo apt-get install libc6 libstdc++6 libgcc1 xvfb
  1. Now we extract the files using this:
        tar jxvf slimerjs-0.8.4-linux-x86_64.tar.bz2
  1. We then browse the directory and simply copy the SlimerJS executable to /usr/local/bin:
  1. Then, we execute the following command:
        cp slimerjs /usr/local/bin/

The following screenshot shows the output of the preceding command:

  1. Now we need to navigate to the XSS Validator folder.
  2. We then need to start the PhantomJS and SlimerJS server using the following commands:
        phantomjs xss.js &
        slimerjs slimer.js &
  1. Once the servers are running, we head back to the Burp window. In the XSS Validator tab on the right-hand side, we will see a list of payloads the extender will test on the request. We can manually enter our own payloads as well:
  1. Next, we capture the request we need to validate XSS on.
  1. We select the Send to Intruder option:
  1. Then, we switch to the Intruder window, and under the Positions tab, we set the position where we want our XSS payloads to be tested. The value surrounded by ยง is where the payloads will be inserted during the attack:
  1. In the Payloads tab, we select the Payload type as extension-generated:
  1. In Payload Options, we click on the Select generator... and choose XSS Validator Payloads:
  1. Next, we switch to the XSS Validator tab and copy Grep Phrase; this phrase can be customized as well:
  1. Next, we switch to the Options tab in the Intruder and add the copied phrase in the Grep - Match:
  1. We click on Start attack, and we will see a window pop up:
  1. Here, we will see that the requests with a check mark in our Grep Phrase column have been successfully validated: