Mirrors/My-Methodologies
2
0
Fork 0
mirror of https://github.com/xalgord/My-Methodologies.git synced 2024-11-25 21:20:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
My-Methodologies/recon-strategies-by-other-hackers/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program.md

140 lines
4.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
description: >-
source:
https://medium.com/@DrakenKun/how-i-was-able-to-find-4-cross-site-scripting-xss-on-vulnerability-disclosure-program-e2f39199ae16
---
# 🔎 How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ?
Hello Im Amr Mustafa AKA DrakenKun
Today Ill explain how I found these reflected XSS vulnerabilities
First I will list the tools that I used during this process :-
1. ParamSpider
2. gau
3. kxss
4. Arjun
Lets say our domain name called **example.com**
I used ParamSpider for finding some interested parameters
```
python3 paramaspider -d example.com -o parameters.txt
```
We got a large number of parameters , now in the final output we can see every reflected parameters and unfiltered values. And here comes the role of kxss tool
I just typed :
```
cat parameters.txt | kxss
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*irL1TTU7md76d0xWoQI-JQ.png" alt="" height="276" width="700"><figcaption><p>some of interested parameters are found here</p></figcaption></figure>
The vulnerable parameter for XSS should have Unfiltered : **\[“ < > $ | ( ) \` : ; { } ]**
I noticed here that I got 2 interested vulnerable parameters named **“goto”** in different endpoints
lets say the 2 links are
1. example.com/**login.jsp?goto=**
2\. cloud.example.com/**login.html?goto=**
Just visited the url and injected my simple payload in the parameter
```
"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*UjCRvo_RIzM-ZXWk65KDvQ.png" alt="" height="289" width="700"><figcaption><p>javascript alert !</p></figcaption></figure>
Also typed the same payload in the other url and javascript did his job :)
I reported these two vulnerabilities in Bugcrowd with some kind of satisfaction
After exactly 1 day
I asked myself , ok now if you got 2 vulnerable parameters both of them called **“goto“** and possible for XSS
how about try finding more of any parameter has the same name ?!!
I simply used **google dorks**
typed ..
```
site:"example.com" inurl:"?goto="
```
I got some results but unfortunately arent vulnerable !
gave another chance ..
I used beautiful tool called [**gau**](https://github.com/lc/gau)
get all urls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, Common Crawl, and URLScan for any given domain. Inspired by Tomnomnom's [waybackurls](https://github.com/tomnomnom/waybackurls).
Quite simply, all I want is finding any parameter called **“goto”** to get any chance for finding new XSSs
```
gau example.com | grep "?goto="
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*rCgsoUoy0jYlkuuhg2-4Pw.png" alt="" height="69" width="700"><figcaption><p>new results</p></figcaption></figure>
I visited every results and start inject javascript payloads
and guess what happened ?
Yeah :)
got the third XSS with some basic payload to Bypass the WAF
```
<%2FScriPt><sCripT+class%3DDrakenKun>document.write(document.cookie);<%2FsCriPt>
```
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*b6nR2Qwf0fH3cdsdKFv77A.png" alt="" height="86" width="700"><figcaption></figcaption></figure>
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*eiz-e_C4z6BdmFqwAbYrlg.png" alt="" height="43" width="700"><figcaption><p>the source code</p></figcaption></figure>
Now we got 3 :D
The 3 XSSs are in 3 different endpoints
I visited them again and start finding any parameters for testing
Here I used tool called **Arjun**
```
arjun -u example.com/login.jsp
```
I got some parameters here and start inject every one of them
one of these parameters is called **“SPID”** , I noticed that both characters “< >” are refelcted on the source code !
And I quickly start typing my payload
```
"><img%20src=x%20onerror="alert(%27POC%20By%20DrakenKun%27)"
```
And Boom !!
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*ycO3Nr8k1Y1FlULAm7O72A.png" alt="" height="288" width="700"><figcaption><p>The fourth XSS fires !</p></figcaption></figure>
I tried that with the other endpoints but I found nothing
I reported these 4 vulnerabilities and Alhamdulillah all of them accepted as Unresolved
<figure><img src="https://miro.medium.com/v2/resize:fit:875/1*cD6owwrjYCbtsRJGfRXeeg.png" alt="" height="491" width="700"><figcaption></figcaption></figure>
You can follow me in [twitter ](https://twitter.com/Amr\_MustafaAA)to get some useful informations
Thank U ❤
Reference in a new issue View git blame Copy permalink