XSS
Reflected Xss Methods
Many methods out in wild but here are few most common , but not limited.
One Awesome mind map for approach to reflected xss can be found here https://github.com/A9HORA/Reflected-XSS-Mindmap Made By @A9HORA
Tip: While using other methods put method 2 in background in terminal or on vps
1. Using Burp
Download Reflection and sentinal plugin for burp.
Walk and spider the target site.
Check the reflected params tab in burp
send that sentinal or check manually.
2. Using Waybackurls and other similar site
Use Gau or Wayback urls to passively gather urls of the target.
Filter the parameters using
grep "="
or gf patterns and store it in a new file.Check Reflected Param Manually or use some tool like dalfox
3. Using Google Dorks
Using Google Dork
site:target.com
filter the resultNow search for links which have params by adding more dorks something like
site:target.com inurl:".php?"
orsite:target.com filetype:php
etc you can find some dorks at this link https://www.openbugbounty.org/blog/devl00p/top-100-xss-dorks/ or google it out.Check if the param value is getting reflected in html source code
Try Xss payload there or pass it to some tool
4. Find Hidden Variables In Source Code.
Check Javascript file or html Source file for hidden or unused variables
You can Manually Check Right Click View Page Source and search for
var=
,=""
,=''
.Now Append that to webpage urls. For example
https://example.com?hiddenvariablename=xss
.
5. Other Methods
Use Methods 1 or 2 to Gather the urls
Enumerate the Firewall using https://github.com/Ekultek/WhatWaf or other similar tool.
Find WAF bypass payload on twitter by searching or in this Github Repo https://github.com/0xInfection/Awesome-WAF
Also Use Arjun to find hidden params.
Tips
Check the error pages (404,403,..) sometimes they contain reflected values
Trigger a 403 by trying to get the .htaccess file
Try every reflected parameter
Video's
https://www.youtube.com/watch?v=wuyAY3vvd9s
https://www.youtube.com/watch?v=GsyOuQBG2yM
https://www.youtube.com/watch?v=5L_14F-uNGk
https://www.youtube.com/watch?v=N3HfF6_3k94
Stored Xss Methods
Stored Xss are mostly found manually
Enumerate the Firewall using above Methods and select a payload to test accordingly.
Try that selected WAF bypass payload while registering on a site in fields like username, name, address, email, etc.
Try Payload in File name of profile picture and also in the source file of image.
Try in Comment section anywhere on target site.
Try on every input fields which get reflected in page and which can be seen by other users.
Try to signup using your name + xss payload and that can lead to stored xss. Tips
For every input field
Try to get
<a href=#>test</a>
an entity inTry to get an obfuscated entity in
If it catches on anything, go deeper
Video's
https://www.youtube.com/watch?v=uHy1x1NkwRU Writeup: -https://medium.com/@fatin151485/how-i-found-my-first-stored-xss-on-popular-eboighar-com-6bd497b0bb96
Blind Xss
Similar to Reflected Xss Or Stored Xss But you Dont get any reflection, but you get response on you server.
Similar methods As given above except try putting payload which can give a callback on your server when executed.
You can Used https://xsshunter.com/ or Use burpcollaborator or ngrok.
Try it on contact forms or similar functionality.
Tips
Copy every payload from your xsshunter payloads section and paste it into every field you see
XSS hunter contains a payload for CSP bypass
Generate some variations of your payloads (example replace < with
<
)
Where to look for Blind XSS……
DOM XSS
Tips
Would not recommend manually looking for DOM XSS
Burp suite PRO scanner can find DOM XSS
Tool: https://github.com/dpnishant/ra2-dom-xss-scanner
Video's
https://www.youtube.com/watch?v=gBqzzhgHoYg
https://www.youtube.com/watch?v=WclmtS8Ftc4
XSS filter evasion tips
Tips
< and > can be replace with html entities
<
and>
You can try an XSS polyglot
javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
https://gist.github.com/michenriksen/d729cd67736d750b3551876bbedbe626
XSS Firewall Bypass Techniques
Check if the firewall is blocking only lowercase
Try to break firewall regex with the new line(\r\n)
Try Double Encoding
Testing for recursive filters, if firewall removes text in red, we will have clear payload
Injecting anchor tag without whitespaces
Try to bypass whitespaces using Bullet
Try to change request method
Try CRLF Inection
Thanks To
Reference
Authors
Last updated