Manual test of WebInspect XSS


I scanned my site with WebInspect 16 and checked the produced results. WebInspect detedt Cross-Site Scripting (reflected) in my site, but when I send WebInspect XSS request to my site, I don't give the request that show to me.

Also, in web browser mode, I can not see any reflected thing.

How I can ensure that this is a real XSS and it is not a false positive?

  • Check the response to see what the finding is flagging on.  What you should find (if it's a true positive) is the payload reflected back in the response page.  If you can make the determination that there's no way that reflected payload can result in something executable on the client side then you can consider it a false positive. 

  • You can also retest this in real-time.  Open the Review Vulnerability tool by either double-clicking the Issue in the Vulnerability pane (bottom of UI) or via the right-click menu in that same area.  The Review Vuln tool offers a Retest button and then shows a split screen of the original and the current test.  The original HTTP Response may have high-lighted the flaw (Session Details), and it should have been within an executable section of that Response, not simply repeated back as text.