sahand amini

How to Find XSS in Wide Scope

by

sahandami
in

This article is about wide recon on a wide scope of assets(domains & subdomains)

Is it possible to search into lots of websites having XSS vulnerability or sth like that? ..yep(:

I decided to write commands Separately for better understanding but you can generally do all these commands in about two lines.

thanks a lot to tomnomnom for making these powerful tools for all us!

1st Step is to find all subdomains of a website using some tools that you know them better than me(like: assetfinder,subfinder,…)

but its important to be sure that they are in scope, the best way is to do this recon on websites that they are: *.example.com .

assetfinder example.com >> all.txt

or you can grep the domain for having appropriate output

assetfinder example.com | grep example.com >> all.txt

After finding all subdomains we are going to find some URLs from past that wayback machines captured.

there is some tools makes that easier, like waybackurls.

cat all.txt | waybackurls >> urls

now we have lots of waybacked assets in urls file

but the problem here is that some of this assets are dead! it means they are not existing now (maybe dropd , modified or …)

To fix this potential problem its better to use a tool like httpx or httprobe but pending our goal we do or don’t . usually i don’t use them cause it takes long time and i always prefer to use my own tool or test dead assets too.

so now we should separate urls containing parameter to do this we can grep just ‘=’ or ‘?’ .

2nd Step is the final test on assets using public or our tools .

actually we have lots of params that provided for communicating with web app, so we should first find out what is the functionality of the param and work on the potential vulnerabilities.

some vulnerabilities we are able using this method :

1.XSS *

2.SSRF, SQLi, IDOR, open redirection, and any vulnerabilities made by malicious user input as a parameter value…

XSS:

lets see how to perform some xss vulnerability recon:

so after collecting parametric assets we can use a powerful tool for test all assets having any xss vulnerability in get request parameters :

kxss

cat urls | kxss >> final_output

now in final output we can see every reflected parameters and unfiltered values.

first picture

but how to know which one has xss vulnerability?

so in this picture we have two dangerous unfiltered characters (‘ & “) but these aren’t Certainly vulnerable to xss ! because this tool shows us for example (“) as you can see in the picture is unfiltered but there is nothing to exploit because you can’t break any tag cause the q parameter is reflected in somewhere like :

<H1>here</H1>

and when this tool is testing for unfiltered characters:

<H1>here”</H1>

we can see that this infiltration is unexploitable!

There is no filtration on users’ most characters input and it doesn’t have any problem because hackers can’t brake any string here. for exploiting this case we want unfiltered (<>) to close the H1 tag and for example, open an svg tag.

so some cases might be exploitable and some cases not.

Is there a main solution to get just vulnerable cases? yep :))))

its possible to extract vulnerable sites by using automated tools . for making them you need to know python or GO or sth like them …

golden hint for hunters:

in some vulnerabilities like xss , sqli , and some cases in command injection we can break the usual string .

let’s see xss in action to to automate our tool:

for example we have this tag in the source when user enters test :<input type="text" value="test">as you know in vulnerable website if user enter test" in the input parameter , reflection will be:<input type="text" value="test"">so for exploit we can use this payload " onmouseover="alert(9):<input type="text" value="test" onmouseover="alert(9)">

for breaking automatically we can send request with a (“) in end of value of vulnerable parameter and check if in response is any <parameter=value””> if yes => It is 90% likely to be vulnerable to xss.

you can also make your tool multithread for saving your time 😉

3nd and final step, is to exploit the final outputs manually. for this step you need to know javascript and some tip and tricks, because usually there are lots of limitations, like : blacklists , sensitive words, length limit, operator characters filtration (like ‘=’ in some cases)& etc …

but there is a comprehensive resource you probably know that :

payload all the things, xss part.

if you didn’t , check it out ☝🏻

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *