πHow I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?
source: https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16
Hello Iβm Amr Mustafa AKA DrakenKun
Today Iβll explain how I found these reflected XSS vulnerabilities
First I will list the tools that I used during this process :-
ParamSpider
gau
kxss
Arjun
Letβs say our domain name called example.com
I used ParamSpider for finding some interested parameters
We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool
I just typed :
The vulnerable parameter for XSS should have Unfiltered : [β β < > $ | ( ) ` : ; { } ]
I noticed here that I got 2 interested vulnerable parameters named βgotoβ in different endpoints
letβs say the 2 links are
example.com/login.jsp?goto=
2. cloud.example.com/login.html?goto=
Just visited the url and injected my simple payload in the parameter
Also typed the same payload in the other url and javascript did his job :)
I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction
After exactly 1 day
I asked myself , ok now if you got 2 vulnerable parameters both of them called βgotoβ and possible for XSS
how about try finding more of any parameter has the same name ?!!
I simply used google dorks
typed ..
I got some results but unfortunately arenβt vulnerable !
gave another chance ..
I used beautiful tool called gau
get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's waybackurls.
Quite simply, all I want is finding any parameter called βgotoβ to get any chance for finding new XSSβs
I visited every results and start inject javascript payloads
and guess what happened ?
Yeah :)
got the third XSS with some basic payload to Bypass the WAF
Now we got 3 :D
The 3 XSSβs are in 3 different endpoints
I visited them again and start finding any parameters for testing
Here I used tool called Arjun
I got some parameters here and start inject every one of them
one of these parameters is called βSPIDβ , I noticed that both characters β< >β are refelcted on the source code !
And I quickly start typing my payload
And Boom !!
I tried that with the other endpoints but I found nothing
I reported these 4 vulnerabilities and Alhamdulillah all of them accepted as Unresolved
You can follow me in twitter to get some useful informations
Thank U β€
Last updated