XSS

1. Reflected XSS Methods

Reflected XSS attacks exploit vulnerabilities where user input is included in the response without proper sanitization. Below are some common approaches.

Mind Map for Reflected XSS

An extensive mind map detailing approaches to reflected XSS can be found here: Reflected XSS Mindmap by @A9HORA.

1.1 Using Burp Suite

Install the Reflection and Sentinel plugins for Burp Suite.
Walk and spider the target site.
Inspect the reflected parameters tab in Burp.
Send parameters to Sentinel for automated analysis or verify manually.

1.2 Using WaybackURLs and Similar Tools

Use Gau or WaybackURLs to collect URLs.
Filter parameters using grep "=" or GF patterns and store them in a file.
Run Gxss or Bxss on the file.
Manually inspect reflected parameters or use Dalfox.

1.3 Using Google Dorks

Use Google Dork: site:target.com
Find links with parameters using dorks such as:
- site:target.com inurl:".php?"
- site:target.com filetype:php
- More dorks: Top 100 XSS Dorks
Check if parameters are reflected in HTML.
Inject XSS payloads or test with automated tools.

1.4 Finding Hidden Variables in Source Code

Inspect JavaScript and HTML source files for hidden parameters.
Search manually in Page Source for:
- var=
- =""
- =''
Append discovered parameters to URLs, e.g., https://example.com?hiddenvariablename=xss

1.5 Other Techniques

Use Methods 1 or 2 to gather URLs.
Identify the firewall using WhatWaf.
Find WAF bypass payloads:
- Twitter search
- Awesome WAF Bypass
Use Arjun to discover hidden parameters.

Additional Tips

Examine error pages (404, 403, etc.) for reflected values.
Trigger a 403 error by requesting the .htaccess file.
Test all reflected parameters for XSS.

Video References

2. Stored XSS Methods

Stored XSS occurs when malicious scripts are permanently stored on the target website.

Steps for Detecting Stored XSS

Enumerate the firewall and identify WAF rules.
Test payloads in fields such as:
- Username
- Address
- Email
Inject payloads in profile picture filenames and metadata.
Attempt injections in comments, reviews, and feedback sections.
Try every input field that reflects data to other users.
Register an account with an XSS payload in the name field.

Additional Tips

Test entity injection with:
```
<a href=#>test</a>
```
If any payload is executed, refine and escalate the attack.

Write-Up Reference

How I Found My First Stored XSS

3. Blind XSS

Blind XSS occurs when the payload does not immediately reflect, but executes later in backend systems or admin panels.

Detection Techniques

Inject payloads that call back to a listener on your server.
Use:
- XSS Hunter
- Burp Collaborator
- Ngrok for receiving callbacks.
Test injection points such as:
- Contact forms
- Admin dashboards
- User input logs
- E-commerce checkout fields

Common Injection Points

Review and feedback forms
Address fields in e-commerce sites
User-Agent headers
Log viewers
Chat applications
Moderation panels

Video References

Blind XSS Hunting

4. DOM-Based XSS

DOM XSS occurs when JavaScript dynamically manipulates the page without sanitizing user input.

Tips

Manual detection is difficult; use tools like:
- Burp Suite PRO
- RA2 DOM XSS Scanner

Video References

Understanding DOM XSS

5. XSS Filter Evasion Techniques

General Bypass Techniques

Replace < and > with HTML entities:
```
&lt;script&gt;alert(1)&lt;/script&gt;
```

Use XSS polyglots:

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Full XSS Polyglots List

XSS Firewall Bypass

Bypass lowercase filtering:
```
<scRipT>alert(1)</scRipT>
```
Break firewall regex using new lines:
```
<script>%0alert(1)</script>
```
Double Encoding:
```
%2522
```

Recursive filters bypass:

<src<script>ipt>alert(1);</scr</script>ipt>

Injecting anchor tags without whitespace:

<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">

Bypassing whitespace filtering using a bullet (•):
```
<svg•onload=alert(1)>
```
Changing request methods:
```
GET /?q=xss  
POST / q=xss
```
Injecting CRLF characters for HTTP response splitting:
```
GET /%0A%0DValue=%20Virus
```

Acknowledgments and References

Special Thanks

References

Hunting Checklist

Authors

Enhanced and reformatted for HowToHunt repository by remonsec

PreviousWeak Password Policy NextBypass CSP

Last updated 3 months ago

XSS

1. Reflected XSS Methods

Reflected XSS attacks exploit vulnerabilities where user input is included in the response without proper sanitization. Below are some common approaches.

Mind Map for Reflected XSS

An extensive mind map detailing approaches to reflected XSS can be found here: Reflected XSS Mindmap by @A9HORA.

1.1 Using Burp Suite

Install the Reflection and Sentinel plugins for Burp Suite.
Walk and spider the target site.
Inspect the reflected parameters tab in Burp.
Send parameters to Sentinel for automated analysis or verify manually.

1.2 Using WaybackURLs and Similar Tools

Use Gau or WaybackURLs to collect URLs.
Filter parameters using grep "=" or GF patterns and store them in a file.
Run Gxss or Bxss on the file.
Manually inspect reflected parameters or use Dalfox.

1.3 Using Google Dorks

Use Google Dork: site:target.com
Find links with parameters using dorks such as:
- site:target.com inurl:".php?"
- site:target.com filetype:php
- More dorks: Top 100 XSS Dorks
Check if parameters are reflected in HTML.
Inject XSS payloads or test with automated tools.

1.4 Finding Hidden Variables in Source Code

Inspect JavaScript and HTML source files for hidden parameters.
Search manually in Page Source for:
- var=
- =""
- =''
Append discovered parameters to URLs, e.g., https://example.com?hiddenvariablename=xss

1.5 Other Techniques

Use Methods 1 or 2 to gather URLs.
Identify the firewall using WhatWaf.
Find WAF bypass payloads:
- Twitter search
- Awesome WAF Bypass
Use Arjun to discover hidden parameters.

Additional Tips

Examine error pages (404, 403, etc.) for reflected values.
Trigger a 403 error by requesting the .htaccess file.
Test all reflected parameters for XSS.

Video References

2. Stored XSS Methods

Stored XSS occurs when malicious scripts are permanently stored on the target website.

Steps for Detecting Stored XSS

Enumerate the firewall and identify WAF rules.
Test payloads in fields such as:
- Username
- Address
- Email
Inject payloads in profile picture filenames and metadata.
Attempt injections in comments, reviews, and feedback sections.
Try every input field that reflects data to other users.
Register an account with an XSS payload in the name field.

Additional Tips

Test entity injection with:
```
<a href=#>test</a>
```
If any payload is executed, refine and escalate the attack.

Write-Up Reference

How I Found My First Stored XSS

3. Blind XSS

Blind XSS occurs when the payload does not immediately reflect, but executes later in backend systems or admin panels.

Detection Techniques

Inject payloads that call back to a listener on your server.
Use:
- XSS Hunter
- Burp Collaborator
- Ngrok for receiving callbacks.
Test injection points such as:
- Contact forms
- Admin dashboards
- User input logs
- E-commerce checkout fields

Common Injection Points

Review and feedback forms
Address fields in e-commerce sites
User-Agent headers
Log viewers
Chat applications
Moderation panels

Video References

Blind XSS Hunting

4. DOM-Based XSS

DOM XSS occurs when JavaScript dynamically manipulates the page without sanitizing user input.

Tips

Manual detection is difficult; use tools like:
- Burp Suite PRO
- RA2 DOM XSS Scanner

Video References

Understanding DOM XSS

5. XSS Filter Evasion Techniques

General Bypass Techniques

Replace < and > with HTML entities:
```
&lt;script&gt;alert(1)&lt;/script&gt;
```

Use XSS polyglots:

javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>

Full XSS Polyglots List

XSS Firewall Bypass

Bypass lowercase filtering:
```
<scRipT>alert(1)</scRipT>
```
Break firewall regex using new lines:
```
<script>%0alert(1)</script>
```
Double Encoding:
```
%2522
```

Recursive filters bypass:

<src<script>ipt>alert(1);</scr</script>ipt>

Injecting anchor tags without whitespace:

<a/href="j&Tab;a&Tab;v&Tab;asc&Tab;ri&Tab;pt:alert&lpar;1&rpar;">

Bypassing whitespace filtering using a bullet (•):
```
<svg•onload=alert(1)>
```
Changing request methods:
```
GET /?q=xss  
POST / q=xss
```
Injecting CRLF characters for HTTP response splitting:
```
GET /%0A%0DValue=%20Virus
```

Acknowledgments and References

Special Thanks

References

Hunting Checklist

Authors

Enhanced and reformatted for HowToHunt repository by remonsec

PreviousWeak Password Policy NextBypass CSP

Last updated 3 months ago