What is XSS?

It is a type of stored XSS where input is saved by server and is reflected in a totally different application used by admin/team member.

Tools you can use for Blind XSS:

Currently I use the web version of XSShunter for finding Blind .There are few other tools which you can use:

  • ezXSS(has 2FA, email reports, share reports feature)
  • bXSS(Has slack/sms notification feature)
  • KNOXSS(has email feature)
  • Burp Collaborator

How to register for XSShunter? Is it ? Do we need a domain in our name to use XSShunter?

I use the web version of XSShunter as I don’t have patience to setup the tool on my server:) Its free of cost and you can set it up by visiting XSShunterwebsite .Enter all the mandatory fields, in the Custom Subdomain box you can enter any 2–3 characters.(You are not supposed to enter your website URL here🙂).With that you should be set to use the tool.

You can setup XSSHunter on your server by following these instructions

I also use the KNOXSS  plugin sometimes.If knoxss finds Blind XSS in a website it will mail you the vulnerability details.

- 1 QxrbeUzXGtXZzHrF18DCvg - Blind XSS for Beginners – ETHICAL HACKING

So where do you get the payloads from and where do you spray the payloads?

Within XSShunter there is a tab for payloads,You can get all the payloads from there and its better to have a copy of all the payloads locally with you so that you can use/spray it when you need it.

Now moving to questions about where to spray these payloads, this has been discussed on twitter/slack a lot of times.Here are few tips from BB hunters.

 



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here