---
description: >-
source:
https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16
---
# 🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?
Hello I’m Amr Mustafa AKA DrakenKun
Today I’ll explain how I found these reflected XSS vulnerabilities
First I will list the tools that I used during this process :-
1. ParamSpider
2. gau
3. kxss
4. Arjun
Let’s say our domain name called **example.com**
I used ParamSpider for finding some interested parameters
```
python3 paramaspider -d example.com -o parameters.txt
```
We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool
I just typed :
```
cat parameters.txt | kxss
```
The vulnerable parameter for XSS should have Unfiltered : **\[“ ‘ < > $ | ( ) \` : ; { } ]**
I noticed here that I got 2 interested vulnerable parameters named **“goto”** in different endpoints
let’s say the 2 links are
1. example.com/**login.jsp?goto=**
2\. cloud.example.com/**login.html?goto=**
Just visited the url and injected my simple payload in the parameter
```
">
javascript alert !
Also typed the same payload in the other url and javascript did his job :)
I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction
After exactly 1 day
I asked myself , ok now if you got 2 vulnerable parameters both of them called **“goto“** and possible for XSS
how about try finding more of any parameter has the same name ?!!
I simply used **google dorks**
typed ..
```
site:"example.com" inurl:"?goto="
```
I got some results but unfortunately aren’t vulnerable !
gave another chance ..
I used beautiful tool called [**gau**](https://github.com/lc/gau)
get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's [waybackurls](https://github.com/tomnomnom/waybackurls).
Quite simply, all I want is finding any parameter called **“goto”** to get any chance for finding new XSS’s
```
gau example.com | grep "?goto="
```
I visited every results and start inject javascript payloads
and guess what happened ?
Yeah :)
got the third XSS with some basic payload to Bypass the WAF
```
<%2FScriPt>