Reflected XSS in bug bounty program {ScriptKiddie methodology Version}

Methodology

1- As usual.. i strated from finding sub-domains using 7 methods
- Sbfinder -d domain.com 


- Sublist3r -d domain.com -b -t 50 -o sublist3r.txt 


- amass enum -d domain.com -active -cidr 1.2.3.4/24,4.3.2.1/24 -asn 12345 


- crtfinder  python crtfinder.py -u domain.com


 - using google dorks 


- shodan manual search 


- Github manual search


Then save all this unique subdomains into --> all_subdomains.txt


2- i used httprobe to get out the live subdomains  and save it into ->
live_subdomains.txt

"Cat all_subdomains.txt | httprobe | tee live_subdomains.txt "



3- i extracted domains of subdomains using altdns from live subdomains

"python3 altdns -i live_subdomains.txt -o data_output -w words.txt -r -s domains_subdomains.txt"


4- i used httprobe to get out the live domains of subdomains 

"Cat domains_subdomains.txt | httprobe | tee live_domains_subdomains.txt "

 

5- i extracted the web archive of those subdomains using "waybackurls" 

"cat live_domains_subdomains.txt | waybackurls >> domains_subdomains_waybackurl.txt"


6- i did grep JS Files from domains_subdomains_waybackurl.txt

"cat domains_subdomains_waybackurl.txt | grep js > js_files.txt" 

 

7- i fired "LinkFinder" tool to discover endpoints and their parameters in JavaScript files i got from last step


!!!!!!!! i'm using bash scriptig to test all domains using file looping. !!!!!!!

"python linkfinder.py -i https://domain.com/file.js -o endpoints.txt"

 and here i got some endpoints like: 


domain.com/v1/auth/endpoint/example

domain.com/mob/message/files
......etc

 

8- then i used arjun for finding any special hidden params 

"arjun -i endpoints.txt -w param_wordlist.txt -oT hidden_params.txt"

and here using arjun+bash scripting the results will be:

https://subdomain.subdomain.domain.com/mob/message/files?type=

https://subdomain.subdomain.domain.com/v1/auth/endpoint/example?message=

 


9- and  in this step i should use "qsreplace" tool then take a screenshot of results but instead i will run bxss (bxss tell you the non-filtered signs.) 

"cat hidden_params.txt | bxss"

 when i see bxss results first thing i search for is a paramater that accepts "<>" specal characters signs and don't filter them.. and i open the link in my browser and try to get XSS. 


10- insted of bxss i do it manually by visit all hidden paramaters urls and search for query's value reflected on the page and yesterday i got a JS code reflection like this:

https://subdomain.subdomain.domain.com/v1/auth/endpoint/example?message=payloadHere

 

The Reflection : 


XSS Exploitaion

so the xss context is js code where my payload reflects there so i used this payload:   

"; confirm(1); var a="1 

but unfortunately it didn't work because of the WAF.. 

so i decided to type the same payload char by char then i figured out the confirm and other functions is blacklisted so i decided to do two things 

1- bypass the WAF by obfuscating blacklisted functions  : 

i tried use url encoding and double url encoding but it didn't work..and many things from here How to Bypass WAF but all of them didn't work.. 


2- using a wordlist of js functions name and use all of them in the payload using burp intruder to check the WAF behaviour  towards all functions to get out unblacklisted one.. 

and finally i figured out that the print() and document.location are unblacklisted.

so the payload is:

"; document.location = "https://google.com"; var a="1

but it didn't work! .. so i tried to url encode all the special chars.. and finally it worked with me and the redirection is successful.. 

 

Twitter: https://twitter.com/0xFLTNT





 


 

 

 




















Comments

Post a Comment