GITBOOK-57: change request with no subject merged in GitBook

This commit is contained in:
Xalgord 2023-07-26 17:49:11 +00:00 committed by gitbook-bot
parent 0216b95d55
commit 25f76a8c66
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 141 additions and 0 deletions

View file

@ -12,5 +12,6 @@
* [🔎 Deep-Subdomains-Enumeration-Methodology](recon-strategies-by-other-hackers/deep-subdomains-enumeration-methodology.md)
* [🔎 How I hacked NASA and got 8 bugs ?](recon-strategies-by-other-hackers/how-i-hacked-nasa-and-got-8-bugs.md)
* [🔎 Simple Recon Methodology](recon-strategies-by-other-hackers/simple-recon-methodology.md)
* [🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?](recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md)
* [🌀 Possible "Content-Type" Header values](possible-content-type-header-values.md)
* [🎯 XSS nuclei template CVE-2023-24488.yaml](xss-nuclei-template-cve-2023-24488.yaml.md)

View file

@ -0,0 +1,140 @@
---
description: >-
source:
https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16
---
# 🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?
Hello Im Amr Mustafa AKA DrakenKun
Today Ill explain how I found these reflected XSS vulnerabilities
First I will list the tools that I used during this process :-
1. ParamSpider
2. gau
3. kxss
4. Arjun
Lets say our domain name called **example.com**
I used ParamSpider for finding some interested parameters
```
python3 paramaspider -d example.com -o parameters.txt
```
We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool
I just typed :
```
cat parameters.txt | kxss
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*irL1TTU7md76d0xWoQI-JQ.png" alt="" height="276" width="700"><figcaption><p>some of interested parameters are found here</p></figcaption></figure>
The vulnerable parameter for XSS should have Unfiltered : **\[“ < > $ | ( ) \` : ; { } ]**
I noticed here that I got 2 interested vulnerable parameters named **“goto”** in different endpoints
lets say the 2 links are
1. example.com/**login.jsp?goto=**
2\. cloud.example.com/**login.html?goto=**
Just visited the url and injected my simple payload in the parameter
```
"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*UjCRvo_RIzM-ZXWk65KDvQ.png" alt="" height="289" width="700"><figcaption><p>javascript alert !</p></figcaption></figure>
Also typed the same payload in the other url and javascript did his job :)
I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction
After exactly 1 day
I asked myself , ok now if you got 2 vulnerable parameters both of them called **“goto“** and possible for XSS
how about try finding more of any parameter has the same name ?!!
I simply used **google dorks**
typed ..
```
site:"example.com" inurl:"?goto="
```
I got some results but unfortunately arent vulnerable !
gave another chance ..
I used beautiful tool called [**gau**](https://github.com/lc/gau)
get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's [waybackurls](https://github.com/tomnomnom/waybackurls).
Quite simply, all I want is finding any parameter called **“goto”** to get any chance for finding new XSSs
```
gau example.com | grep "?goto="
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*rCgsoUoy0jYlkuuhg2-4Pw.png" alt="" height="69" width="700"><figcaption><p>new results</p></figcaption></figure>
I visited every results and start inject javascript payloads
and guess what happened ?
Yeah :)
got the third XSS with some basic payload to Bypass the WAF
```
<%2FScriPt><sCripT+class%3DDrakenKun>document.write(document.cookie);<%2FsCriPt>
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*b6nR2Qwf0fH3cdsdKFv77A.png" alt="" height="86" width="700"><figcaption></figcaption></figure>
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*eiz-e_C4z6BdmFqwAbYrlg.png" alt="" height="43" width="700"><figcaption><p>the source code</p></figcaption></figure>
Now we got 3 :D
The 3 XSSs are in 3 different endpoints
I visited them again and start finding any parameters for testing
Here I used tool called **Arjun**
```
arjun -u example.com/login.jsp
```
I got some parameters here and start inject every one of them
one of these parameters is called **“SPID”** , I noticed that both characters “< >” are refelcted on the source code !
And I quickly start typing my payload
```
"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
```
And Boom !!
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*ycO3Nr8k1Y1FlULAm7O72A.png" alt="" height="288" width="700"><figcaption><p>The fourth XSS fires !</p></figcaption></figure>
I tried that with the other endpoints but I found nothing
I reported these 4 vulnerabilities and Alhamdulillah all of them accepted as Unresolved
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*cD6owwrjYCbtsRJGfRXeeg.png" alt="" height="491" width="700"><figcaption></figcaption></figure>
You can follow me in [twitter ](https://twitter.com/Amr\_MustafaAA)to get some useful informations
Thank U ❤