❌xss
Get Parameter as much as possible
https://github.com/devanshbatham/ParamSpider
gospider -S tageturls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'|grep "=" | qsreplace -a | dalfox pipe -o result.txt
Waybackurls | gau
https://github.com/s0md3v/Arjun
https://github.com/hakluke/hakrawler
https://github.com/PortSwigger/param-miner
Combine all in a file and remove duplicates.
Run XSS fuzzer
https://github.com/s0md3v/XSStrike
https://github.com/hahwul/dalfox
Resources:
https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/
https://infosecwriteups.com/tale-of-my-first-xss-27f622bc47c0
dalfox usage:
another technique to find XSS
Scrape all urls from the domain using gau
then sort the result using grep command:
cat url.txt | grep “utm_”
do testing
resources:
https://santoshdbobade.medium.com/how-i-got-reflected-cross-site-scripting-rxss-on-manchester-metropolitan-university-700b36cb4f53
Custom useful XSS Attack Vectors
Encoding Bypass:
Last updated