Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Burp Suite Professional and Community editions Burp Suite Enterprise Edition
Burp Scanner Burp Collaborator
Burp Infiltrator Full Documentation Contents

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility
  1. Support Center
  2. Issue Definitions
  3. Browser cross-site scripting filter disabled

Browser cross-site scripting filter disabled

Description: Browser cross-site scripting filter disabled

Some browsers, including Internet Explorer, contain built-in filters designed to protect against cross-site scripting (XSS) attacks. Applications can instruct browsers to disable this filter by setting the following response header:

X-XSS-Protection: 0

This behavior does not in itself constitute a vulnerability; in some cases XSS filters may themselves be leveraged to perform attacks against application users. However, in typical situations XSS filters do provide basic protection for application users against some XSS vulnerabilities in applications. The presence of this header should be reviewed to establish whether it affects the application's security posture.

Remediation: Browser cross-site scripting filter disabled

Review whether the application needs to disable XSS filters. In most cases you can gain the protection provided by XSS filters without the associated risks by using the following response header:

X-XSS-Protection: 1; mode=block

When this header is set, browsers that detect an XSS attack will simply render a blank page instead of attempting to sanitize the injected script. This behavior is considerably less likely to introduce new security issues.


Vulnerability classifications

Typical severity


Type index


Burp Scanner

Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Read more
Get Burp

Get Burp

Scan your web application from just $399.00

Find out more