From 25f76a8c66772fd263c2068862fe38a8963d3b8c Mon Sep 17 00:00:00 2001 From: Xalgord Date: Wed, 26 Jul 2023 17:49:11 +0000 Subject: [PATCH] GITBOOK-57: change request with no subject merged in GitBook --- SUMMARY.md | 1 + ...xss-on-vulnerability-disclosure-program.md | 140 ++++++++++++++++++ 2 files changed, 141 insertions(+) create mode 100644 recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md diff --git a/SUMMARY.md b/SUMMARY.md index b0a632f..0616d70 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -12,5 +12,6 @@ * [🔎 Deep-Subdomains-Enumeration-Methodology](recon-strategies-by-other-hackers/deep-subdomains-enumeration-methodology.md) * [🔎 How I hacked NASA and got 8 bugs ?](recon-strategies-by-other-hackers/how-i-hacked-nasa-and-got-8-bugs.md) * [🔎 Simple Recon Methodology](recon-strategies-by-other-hackers/simple-recon-methodology.md) + * [🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?](recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md) * [🌀 Possible "Content-Type" Header values](possible-content-type-header-values.md) * [🎯 XSS nuclei template CVE-2023-24488.yaml](xss-nuclei-template-cve-2023-24488.yaml.md) diff --git a/recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md b/recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md new file mode 100644 index 0000000..640ee1d --- /dev/null +++ b/recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md @@ -0,0 +1,140 @@ +--- +description: >- + source: + https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16 +--- + +# 🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ? + +Hello I’m Amr Mustafa AKA DrakenKun + +Today I’ll explain how I found these reflected XSS vulnerabilities + +First I will list the tools that I used during this process :- + +1. ParamSpider +2. gau +3. kxss +4. Arjun + +Let’s say our domain name called **example.com** + +I used ParamSpider for finding some interested parameters + +``` +python3 paramaspider -d example.com -o parameters.txt +``` + +We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool + +I just typed : + +``` +cat parameters.txt | kxss +``` + +

some of interested parameters are found here

+ +The vulnerable parameter for XSS should have Unfiltered : **\[“ ‘ < > $ | ( ) \` : ; { } ]** + +I noticed here that I got 2 interested vulnerable parameters named **“goto”** in different endpoints + +let’s say the 2 links are + +1. example.com/**login.jsp?goto=** + +2\. cloud.example.com/**login.html?goto=** + +Just visited the url and injected my simple payload in the parameter + +``` +">

javascript alert !

+ +Also typed the same payload in the other url and javascript did his job :) + +I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction + +After exactly 1 day + +I asked myself , ok now if you got 2 vulnerable parameters both of them called **“goto“** and possible for XSS + +how about try finding more of any parameter has the same name ?!! + +I simply used **google dorks** + +typed .. + +``` +site:"example.com" inurl:"?goto=" +``` + +I got some results but unfortunately aren’t vulnerable ! + +gave another chance .. + +I used beautiful tool called [**gau**](https://github.com/lc/gau) + +get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's [waybackurls](https://github.com/tomnomnom/waybackurls). + +Quite simply, all I want is finding any parameter called **“goto”** to get any chance for finding new XSS’s + +``` +gau example.com | grep "?goto=" +``` + +

new results

+ +I visited every results and start inject javascript payloads + +and guess what happened ? + +Yeah :) + +got the third XSS with some basic payload to Bypass the WAF + +``` +<%2FScriPt>document.write(document.cookie);<%2FsCriPt> +``` + +
+ +

the source code

+ +Now we got 3 :D + +The 3 XSS’s are in 3 different endpoints + +I visited them again and start finding any parameters for testing + +Here I used tool called **Arjun** + +``` +arjun -u example.com/login.jsp +``` + +I got some parameters here and start inject every one of them + +one of these parameters is called **“SPID”** , I noticed that both characters “< >” are refelcted on the source code ! + +And I quickly start typing my payload + +``` +">

The fourth XSS fires !

+ +I tried that with the other endpoints but I found nothing + +I reported these 4 vulnerabilities and Alhamdulillah all of them accepted as Unresolved + +
+ +You can follow me in [twitter ](https://twitter.com/Amr\_MustafaAA)to get some useful informations + +Thank U ❤