XSS Day#12
Parameters reflected 1:1 from URL to site can be great injection points. Replaced the brand name of a vehicle and the payload is reflected 144 times on this page. @realDonaldTrump is upset with the lack of sanitization.
#Cybersecurity#XSS#BugBounty#bugbountytips
XSS Day#14
When testing a site for XSS, first find the search bar. Typically testing begins with an <h1> followed by a unique string that isn't on the site already. From here, you can study how the website interprets the HTML.
#CyberSecurity#XSS#BugBounty#bugbountytips
XSS Day#15
In this example, you can see the progression I took to find this XSS. First noticing the h1 tag was not filtered or sanitized within the title tag. Then closing the title tag early allowed the injection of javascript.
#Cybersecurity#XSS#bugbountytips#BugBounty
XSS Day#17
Here the h1 tag was reflected initially. After further inspection, adding "> prior to the payload, it reflected an additional 2 times. Often times the source can show vulnerabilities not visible in the DOM.
#CyberSecurity#XSS#bugbountytips#BugBounty#pentesting
XSS Day#18
Noticing the h1 tag wasn't sanitized, the next step was to break out of the script tag. Using "});</script> prior to the payload, we could inject our own javascript. Only opening script tags were filtered, not closing.
#Cybersecurity#XSS#BugBounty#bugbountytips
XSS Day #19
Step 1. Test for h1 tag reflection.
Step 2. Try to break out of input tag with "> then payload.
Step 3. Use </script> before payload as step 2 wasn't acting as expected.
Step 4. Notice new 2nd reflection point and exploit.
#CyberSecurity#XSS#BugBounty#bugbountytips
XSS Day #21
Unsanitized injection reflected via the search bar. This allowed an event handler to be injected using the existing HTML tag. Here the onmouseover event is injected to the existing div tag by escaping the single quote.
#cybersecurity#XSS#BugBounty#bugbountytips
XSS Day #22
1. Find payload reflected in the form tag.
2. Break out of the double quotes.
3. Attempt full payload. But notice it's not executing.
4. Adjust payload to have double quotes before alert call.
#CyberSecurity#XSS#BugBounty#bugbountytips
XSS Day #23
1. Find h1 tag and try to break out with "
2. It seemed the " was being escaped with \ but the color of the h1 tag changed. This indicates we moved out of the value param.
3. Try "> but it redirects back to home page.
#cybersecurity#XSS#BugBounty#bugbountytips
XSS Day #24
Easy search bar reflection on the h1 tag. Script tag was injected but not firing the alert box. Img tag was filtered and completely removed. Usually after this I try an SVG tag and this time the alert popped.
#CyberSecurity#XSS#BugBounty#bugbountytips
XSS Day #27
All payloads without user interaction seemed to be filtered. Using the javascript URI, we can hide a payload within an anchor tag using href.
Payload - <a href=javascript:alert()>Click</a>
#cybersecuritytips#XSS#bugbountytips#Pentesting#BugBounty
XSS Day #28
Every HTML tag tested here was removed recursively. Each test added a param to the URL named room_name=Search. Injection there was vulnerable and executed. Always check the URL for changes & reflections.
#cybersecuritytips#XSS#bugbountytips#Pentesting#BugBounty
#KNOXSS GIVEAWAY
🔥FOLLOW US🔥
🔥LIKE & REPOST🔥
To have a chance to WIN one of the following
• 1 Pro Subscription 1-month
• 1 Pro Subscription 3-month
• 1 Pro Subscription 6-month
• 1 Pro Subscription 1-year
Winners of this draw will be announced next week
Good luck! 😀
XSS Day #29
Bypassing WAFs can be quite frustrating. What's the most time efficient way to find WAF bypasses?
Cloudflare WAF bypass - <img src=x on0x=1 onerror=alert(document.cookie)>
#cybersecuritytips#XSS#bugbountytips#Pentesting#BugBounty
XSS Day #30
This has 2 vectors.
1 - Break out of the script tag early.
2 - Utilize the existing script tag to inject the alert.
Payload 1 - %27});//]]></script>[payload here]
Payload 2 - '-alert(1)-'
#cybersecuritytips#XSS#bugbountytips#Pentesting#BugBounty
XSS Day #31
Single quote and double quotes allowed us to escape the input tag. This site also had wp-json/wp/v2/users and wp-includes visible to the public.
Good read about Wordpress vulns. https://t.co/349C7E2j2B
#cybersecuritytips#XSS#bugbountytips#Pentesting#BugBounty