• If you're testing for XSS on a site with a CSP, use burp's find+replace on the CSP reporting uri to point to a burp collaborator instance so you don't have to monitor dev tools for csp exceptions.
🧵:👇
• Search for hidden (and visible) input fields and try to set the value via GET. A lot of Webapps still use $_REQUEST. You will be surprised. If you have a
reflected value -> check of html/script injection.
• Now, if you are slightly experienced, after a few minutes of tinkering with this workflow, you will get a feeling whether it might have something interesting going on or not. This point is difficult to explain. It will come with practice.
🧵:👇
• The weird behavior doesn’t necessarily mean you have found a bug that is worth reporting. It probably means you have a good chance so you should keep digging into it more.