Home

Awesome

reflector <img src="https://github.com/elkokc/reflector/blob/master/screenshot/release-v2.0-blue.svg">

Description

Burp Suite extension is able to find reflected XSS on page in real-time while browsing on web-site and include some features as:

How to use

After plugin install you just need to start work with the tested web-application. Every time when reflection is found, reflector defines severity and generates burp issue. reflector usage

Each burp issue includes detailed info about reflected parameter, such as:

Allowed symbols analyse

reflector usage When the reflection is found and option "Aggressive mode" is activated, the reflector will check which of special-symbols are displayed on this page from vulnerable parameters. For this action, reflector compose additional requests for each reflected parameter. In example, while we were working with elkokc.ml website reflector are generated issue with a detailed information about reflection. There are 3 reflection for "search" parameter and each of them pass special symbols. Because of the possibility of displaying special characters issue severity is marked as high. Every time when reflection is found reflector define severity and generate burp issue.

Context analyse

In the "Check context" mode reflector it's not only show special characters that are reflected to the page, but also figure out a character that allows to break the syntax in the page code. In example you may see server response by reflector extension. Parameter "search" was send with a payload - p@y<"'p@y. As a result, it was reflected a few times in a different contexts.

reflector usage

In the issue information it's marked as:

Reflection navigation

Navigation by arrow buttons in the response tab. reflector usage

Settings

Moreover you can manage content-types whitelist with which reflector plugin should work. But if you will use another types except text/html, this can lead to slowdowns in work. reflector usage

How to compile

Compiled by jdk 1.7

Example:

Authors