XSS Methodology for Beginners

Cross-site scripting is a type of security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

In this comprehensive post!
You will learn the technique and concept of hunting XSS.

No one will reveal his/her methodology of hunting bugs, because if everyone will we be following exact Steps of Hunting a particular bugs,

Then after the passage of time, then the methodology will completely become useless.

So, I will be sharing the core concept of hunting XSS, rather than telling you the exact Steps.

So coming straight to point, let’s start our discussion with the concept of XSS.

For finding XSS, what we do ?

1. We try to find parameter (either GET based or POST based)

2. Filter those params, whose params value reflects on page.

3. Then we test simple xss payload i.e. <script>alert(0)</script>

4. If the parameter’s value is reflecting but you are unable to execute simple xss payload due to WAF(Web Application Firewall)

Then you try to bypass WAF,

Such as if alert() function is a blocked keyword what if we try to execute this payload:

<script>confirm(1)</script>

But what if confirm () function is also blocked by WAF,

Then we can try to execute this payload:

<script>prompt(1)</script>

Sometimes replacing <script> with <ScRiPt> or by <SCRIPt> or by any other upper lower case script tag

We can try to bypass WAF,

WAF is a very wide topic, we will discuss it some other day.

So, what you think is the most important step from these steps ?

Well it is paramter finding,

Remember More Parameter == High Chance of Getting Valid XSS

So, if you only spider the target for parameter finding, then it is good, but not great.

So, If you are able to find some hidden parameter, then there is high chance of finding valid xss.

There are some case scenario where sometimes developers are even unaware of some parameters, which could be treasure for hackers

So, the conclusion i want to give from this post is that,

Always try to find hidden parameter,

Well you might be asking now that how we can find hidden parameters ?

Answer: waybackurls by Tomnomnom

Install:-▶ go get github.com/tomnomnom/waybackurls

Usage:▶ cat domains.txt | waybackurls > urls.txt

Some Bonus Tips
==========
1. DOM XSS is very rare and hence difficult to find/hunt
2. Reflected XSS are easy to find (Go and Hunt)
3. Stored XSS pays a good amount, but little difficult to hunt
4. If you are somehow able to find Self XSS (No Bounty for Self XSS), then try to chain it with CSRF or Insecure CORS

5. Did you know that hardly 30 % people try to find Blind XSS ? More here

6. Unrestricted File Upload Vulnerability Could also lead to XSS More here