KNOXSS The WAFs Slayer.
Knoxss is a famous tool which finds and generates poc for a common web application flaw Cross Site Scripting. Cross site scripting is a type of injection, in which malicious java-script code is injected into otherwise benign and trusted websites. Cross site scripting, which seems like a simple harmless ‘alert’ box, has a lot of impact if exploited the right way. A simple XSS can be turned into an account takeover.
Why Knoxss? Why not some cli script you ask me. Cross site scripting, is a bug which can trigger at many places, in different parameters etc. Some people do like to throw XSS payloads, which work as well, but what Knoxss does is automation, testing different cases, trying different tactics and then generating a PoC. Which saves a lot of time, giving you some time to test other things and not waste all energy on it.
Knoxss can also bypass some WAFs in place. You must know that Brutelogic has quite experience working with JavaScript and WAFs & it so does reflects that from the tool.
I personally have bypassed almost all the WAFs I ever encountered during my pentest with its help. Its not that I am using a special Brute-version of it, but using my own methodology, I use the tool on the right place.
Some of my achievements in 2018 which were made possible by Knoxss:-
1:- XSS in private site on hackerone —1800 $
2:- XSS in private site on hackerone —1200 $
3:- XSS in private site on Bugcrowd— 300 $
4:- XSS in private site on hackerone — 80 $
5:- XSS in ING BANK — Bounty.
6:- XSS in ABNAMRO BANK — Bounty.
7:- XSS in American Express. No response.
8:- XSS in private sites out of any bug bounty platform –more than 6000$
My Methodology for Finding XSS:
- Reconnaissance & Enumeration
- Knoxss
Recon:
Before blindly using knoxss, it is important to do some recon so that you dont waste your time. Collecting different subdomains, endpoints, parameters is necessary and BurpSuite is your best friend here. It has many inbuilt tools which will help you.
PoC of getting XSS on an endpoint collected by Burpsuite Content Discovery:
Wordlists to use in Burpsuite Content Discovery:
All.txt by the great @Jhaddix
SecLists by Daniel Miessler
Content-Bruteforcing-Wordlist.
Oracle applications word-list
Payloads All The Things
FuzzDb
Uber XSS discovered by Knoxss:
Grabtaxi XSS discovered by Knoxss:
Some useful tools to discover the hidden directories like:
1:- Dirsearch:-
https://github.com/maurosoria/dirsearch
2:- Dirb:-
https://tools.kali.org/web-applications/dirb
3:- OWASP DirBuster Project:-
https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Bypassing WAFs:
I’ve bypassed some WAFs like Incapsula, Akamai, Cloudflare and more
Incapsula WAF bypassing:- ING BANK
Akamai WAF bypassing:- AMERICAN EXPRESS
Akamai WAF bypassing:- ABNAMRO BANK.
Cloudflare WAF bypassing:- Practo
After the massive success of Knoxss Beta, just few days ago Knoxss 2.0 got released during the time of BlackFriday. Some of the new features:
1:- Runtime Log feature.
2:- New add-on for Firefox Quantum.
3:- New XSS detection cases.
The sites mentioned in the post have already been contacted about the vulnerabilities.
Even after my previous article, many people contacted me to write in detail about the usage. A lot of people don’t understand the way this tool works so I wrote another article about it.
BugBountyTip: Hack the developer’s mind because we are all humans & humans make mistakes and nothing is completely secure just remember that.
Thats not only it! The future of Knoxss is more bright, you will definitely get your Knoxss Pro price back by bounties.(amen)
Thanks to @brutelogic for their immense effort and hardwork, @akita_zen and @IfrahIman_ for the support.
Happy Hunting to y’all !
-Emad.