Hello, everyone. I hope you are doing well..
Today I am going to talk about the technique by which i found my first XSS. currently i am a noob in the bug hunting field but from the daily hardwork and consistence one day i also become the pro bug hunter, so without wasting time lets begin
XSS: (Cross-site scripting) is a security vulnerability that occurs when an attacker injects malicious scripts into web pages viewed by other users. XSS attacks aim to execute malicious scripts in the context of a victim’s browser, allowing the attacker to steal sensitive information.
How to find them
- Collect the subdomain as much as can
For collecting subdomains i use some tools like assetfinder, subfinder, dnsx. assetfinder tool is developed by tomnomnom. subfinder and dnsx are two new tools coming with regular update by project discovery.
subfinder -d example.com -all | tee subfinder
assetfinder -subs-only example.com | tee assetfinder
dnsx -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt | tee dnsx2. Combine and sort
Write all the subdomains collected the different tools write in a single and remove the duplicate subdomians
cat subfinder assetfinder dnsx | sort -u | tee allsubdomain3. Check for live subdomain
for checking live subdomain we have two great tool httprobe and httpx. Again httprobe are written by tomnomnom and httpx is written by project discovery. you can any use any of these two
cat allsubdomain | httprobe | tee livesubdomain
cat allsubdomain | httpx | tee livesubdomain4. Collect the parameter
For collecting the parameter we have paramspider. paramspider generate results in folder and in different file for different subdomain, we need the merge them all in a single file.
paramspider -l livesubdomain
cat results/* | tee allparams5. Now check for the unfiltered parameters
For checking for unfiltered parameter we have tool called kxss
cat allparams | kxss | tee kxsslook for unfiltered tags like <” and then inject your payload like <img src=2 onerror=alert()>