Finding my first XSS

Hello hunters. Hope you and your family are doing well amid this pandemic. This story is about the approach I took to find a Reflected XSS in a 5 year old private program on hackerone.

It’s my first blog so please bear with me . ;)

Let’s begin.

Let’s assume this program as redacted.com (for obvious reasons). It had a wildcard scope so as anyone would do, I started with “Subdomain Enumeration” and performed wayback urls on it.

I started finding patterns in the wayback output using the grep command. After a few tries I tried my XSS pattern.

cat waybacurls.txt | grep yourpatternhere

One can also use gf tools to fetch the patterns.

I found an endpoint that looked like about.redacted.com/?s=

I tried for the <script> command but the Firewall was blocking it. Then I remembered what XSS rat told me to start small.

I started by injecting header tags and it was manipulating the web page. I then tried

<img src=x>

and then

<img src=x onerror=alert(document.cookie);>

I got a beautiful popup and reported it immediately.

Takeaways from the write-up :-

If you have got an old program go straight for waybackurl. It’s like goldmine to find undiscovered vulnerable endpoints.While performing an XSS always start with tags that would not affect the website so that you aren’t blocked by any firewall. I use strike or header tags.When you find something worth sharing , share with the community.

Any constructive criticism on the blog is welcomed.

Thanks Niraj Modi for proof reading. (Follow on Twitter)

Here is my twitter handle @AnupamAS01. Feel free to reach me.