top of page
  • Writer's pictureotw

Web App Hacking: BurpSuite, Part 3: Testing for Persistent XSS

Updated: Dec 30, 2022

Welcome back, my aspiring cyberwarriors!

Cross Site Scripting or XSS is one of the most problematic vulnerabilities in web applications. It ranks among the OWASP Top 10 website vulnerabilities nearly every year. For more on cross-site scripting, check out my post here.

In this tutorial, I will demonstrate how to use the BurpSuite to test a website for the XSS vulnerability

Step #1: Fire Up Kali and OWASP BWA

First, start up your Kali.

Then start the OWASP Broken Web App (BWA) server.

Step #2 Start Burp Suite

Now, from your Kali, start Burp Suite.

Make certain that your have the proxy setting in your browser set. For more on how to set your browser to proxy, go to my post here.

When BurpSuite starts, you will be greeted with a start up screen like that below asking whether you want to start a Temporary project, a New Project on Disk, or Open an existing project.

Let's just use a Temporary project.

Step #3: Open Mutillidae II

Now, from your web browser in Kali, navigate to the OWASP BWA system IP address. Then select Mutillidae II.

From the Mutillidae II menu select;

-->OWASP 2013 (upper left)

-->then, select Cross Site Scripting

-->select, Persistent (Second Order)

-->finally, select Add to Your Blog

Step #4: Add to Your Blog

Now, with the Blog application open like below,

go ahead and add something to your Blog.

In my case, I added "This is my blog on persistent XSS".

You can add any blog post you like.

Now, make certain the intercept is ON in your Burp Suite and then click on the "Save Blog Entry."

Step #5: Intercept the POST

With the intercept ON in your BurpSuite, you should "catch" the POST to the blog before it hits the server. Notice on the last line, you can see the blog post in red.

Step #6: Add a Script to the Blog Post

Now, having intercepted the blog post, you can add a script. This script will be saved with the post into the web site database. This makes it persistent. In my case, I added the following script after the blog post and before "add-to-your-blog-php.... as seen below.

<script>alert("Hackers-Arise is the best for cybersecurity");</script>

Now, forward the post (Hit the Forward button) to the blog. When you return to your browser, you will see a persistent and annoying (albeit, accurate) alert box pop-up on your screen.

Congratulations, you have succeeded in adding a persistent XSS to the Mutillidae II web site that will remind and annoy each user that navigates to this application.


Persistent Cross-Site Scripting is the process of embedding the web application with a script that will be executed each time the web application is viewed. This is perennially among the OWASP Top 10 most serious vulnerabilities each year. Burp Suite is an excellent tool for testing the vulnerability of web sites for this common vulnerability.

bottom of page