Blind XSS for beginners
I get a lot of DM’s in twitter asking questions about Blind XSS like which tool to use, how to register in XSShunter, where to spray the payload etc etc.So I am writing this blog in hopes of answering some of those questions.
Note: This article is for people who are just starting with bug bounty hunting.Leets can leave this blog right here:)
What is Blind XSS?
It is a type of stored XSS where attackers input is saved by server and is reflected in a totally different application used by system admin/team member.
Tools you can use for Blind XSS:
Currently I use the web version of XSShunter for finding Blind XSS.There are few other tools which you can use:
- ezXSS(has 2FA, email reports, share reports feature)
- bXSS(Has slack/sms notification feature)
- KNOXSS(has email feature)
- Burp Collaborator
How to register for XSShunter? Is it free? Do we need a domain in our name to use XSShunter?
I use the web version of XSShunter as I don’t have patience to setup the tool on my server:) Its free of cost and you can set it up by visiting XSShunter website .Enter all the mandatory fields, in the Custom Subdomain text box you can enter any 2–3 characters.(You are not supposed to enter your website URL here:)).With that you should be set to use the tool.
You can setup XSSHunter on your server by following these instructions
I also use the KNOXSS firefox plugin sometimes.If knoxss finds Blind XSS in a website it will mail you the vulnerability details.
So where do you get the payloads from and where do you spray the payloads?
Within XSShunter there is a tab for payloads,You can get all the payloads from there and its better to have a copy of all the payloads locally with you so that you can use/spray it when you need it.
Now moving to questions about where to spray these payloads, this has been discussed on twitter/slack a lot of times.Here are few tips from top BB hunters.
Any interesting BXSS which I have found?
- In a private bounty site, there was an option to create reports.I created a new report with report name as blind XSS payload.For my Luck, the company had a daily batch job which would sync the data across all their QA/Stage and pentest environments. Next day my XSShunter portal was full of reports with payload firing in 6–7 different internal environments owned by customer .Company Paid 5000$ for BXSS in 6 different endpoints.
- Submitted Blind XSS payload in contact me form in PBB program and it fired in their backend salesforce application.
- Submitted Blind XSS payload in a chat request and it fired in marketo application which company was using to collect chat data.
Any other writeups/tutorials to refer?
- https://thehackerblog.com/breaching-a-ca-blind-cross-site-scripting-bxss-in-the-geotrust-ssl-operations-panel-using-xss-hunter/index.html
- https://mhmdiaa.github.io/blind-xss-in-spotify/
- https://hackerone.com/reports/275518
- https://hackerone.com/reports/314126
- https://brutelogic.com.br/blog/blind-xss-code/
- http://www.agarri.fr/kom/archives/2017/04/04/exploiting_a_blind_xss_using_burp_suite/index.html
- https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/
Update(30/07/2018)
Many of you had question about how to check if XSShunter is working fine or not.Simple!
Take all the payloads from the XSShunter site and save it into a HTML file and open that html file in your browser.After file has opened,go to XSShunter and check if you see any new entries.If there are entries then XSShunter is working fine.
For any questions, you can get in touch with me at Syntaxerror
until next time
