---
description: >-
  source:
  https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16
---

# 🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?

Hello I’m Amr Mustafa AKA DrakenKun

Today I’ll explain how I found these reflected XSS vulnerabilities

First I will list the tools that I used during this process :-

1. ParamSpider
2. gau
3. kxss
4. Arjun

Let’s say our domain name called **example.com**

I used ParamSpider for finding some interested parameters

```
python3 paramaspider -d example.com -o parameters.txt 
```

We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool

I just typed :

```
cat parameters.txt | kxss 
```

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*irL1TTU7md76d0xWoQI-JQ.png" alt="" height="276" width="700"><figcaption><p>some of interested parameters are found here</p></figcaption></figure>

The vulnerable parameter for XSS should have Unfiltered : **\[“ ‘ < > $ | ( ) \` : ; { } ]**

I noticed here that I got 2 interested vulnerable parameters named **“goto”** in different endpoints

let’s say the 2 links are

1. example.com/**login.jsp?goto=**

2\. cloud.example.com/**login.html?goto=**

Just visited the url and injected my simple payload in the parameter

```
"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
```

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*UjCRvo_RIzM-ZXWk65KDvQ.png" alt="" height="289" width="700"><figcaption><p>javascript alert !</p></figcaption></figure>

Also typed the same payload in the other url and javascript did his job :)

I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction

After exactly 1 day

I asked myself , ok now if you got 2 vulnerable parameters both of them called **“goto“** and possible for XSS

how about try finding more of any parameter has the same name ?!!

I simply used **google dorks**

typed ..

```
site:"example.com" inurl:"?goto="
```

I got some results but unfortunately aren’t vulnerable !

gave another chance ..

I used beautiful tool called [**gau**](https://github.com/lc/gau)

get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's [waybackurls](https://github.com/tomnomnom/waybackurls).

Quite simply, all I want is finding any parameter called **“goto”** to get any chance for finding new XSS’s

```
gau example.com | grep "?goto="
```

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*rCgsoUoy0jYlkuuhg2-4Pw.png" alt="" height="69" width="700"><figcaption><p>new results</p></figcaption></figure>

I visited every results and start inject javascript payloads

and guess what happened ?

Yeah :)

got the third XSS with some basic payload to Bypass the WAF

```
<%2FScriPt><sCripT+class%3DDrakenKun>document.write(document.cookie);<%2FsCriPt>
```

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*b6nR2Qwf0fH3cdsdKFv77A.png" alt="" height="86" width="700"><figcaption></figcaption></figure>

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*eiz-e_C4z6BdmFqwAbYrlg.png" alt="" height="43" width="700"><figcaption><p>the source code</p></figcaption></figure>

Now we got 3 :D

The 3 XSS’s are in 3 different endpoints

I visited them again and start finding any parameters for testing

Here I used tool called **Arjun**

```
arjun -u example.com/login.jsp
```

I got some parameters here and start inject every one of them

one of these parameters is called **“SPID”** , I noticed that both characters “< >” are refelcted on the source code !

And I quickly start typing my payload

```
"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
```

And Boom !!

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*ycO3Nr8k1Y1FlULAm7O72A.png" alt="" height="288" width="700"><figcaption><p>The fourth XSS fires !</p></figcaption></figure>

I tried that with the other endpoints but I found nothing

I reported these 4 vulnerabilities and Alhamdulillah all of them accepted as Unresolved

<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*cD6owwrjYCbtsRJGfRXeeg.png" alt="" height="491" width="700"><figcaption></figcaption></figure>

You can follow me in [twitter ](https://twitter.com/Amr\_MustafaAA)to get some useful informations

Thank U ❤