sec.ud64.com Open in urlscan Pro
5.189.155.64  Public Scan

Form analysis
1 forms found in the DOM

GET http://sec.ud64.com/search

<form method="get" action="http://sec.ud64.com/search" id="searchForm" class="home-search-box">
  <div class="input-group">
    <input type="text" class="form-control" placeholder="Search the web..." name="q" id="q" autocomplete="off" value="">
    <div class="input-group-append">
      <button class="btn btn-dark" type="submit"><svg class="svg-icon svg-md">
          <use xlink:href="#search"></use>
        </svg></button>
    </div>
  </div>
</form>

Text Content

×

SITE MENU

 * Everything
 * Hacker News
 * Hacking tools
 * KrebsOnSecurity
 * Threat Post
 * Security Affairs
 * Exploit
 * Security Trails
 * Cert Advisory
 * Technology
 * Hacking Articles
 * Port Swigger
 * Bug Bounty
 * IT Security News
 * Other
 * Crcaked Softwares
 * Malware
 * Security Videos

LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.


THE ULTIMATE GUIDE TO HUNTING FOR XSS VULNERABILITIES AT SCALE

3 days ago 13



BOOK THIS SPACE FOR AD

ARTICLE AD

Welcome, digital defenders and bug bounty enthusiasts! Today, I’m thrilled to
share with you an ingenious approach to uncovering Cross Site Scripting (XSS)
vulnerabilities across thousands of web endpoints. Time is of the essence in our
field, and efficiency is the name of the game. The method I’m about to walk you
through can be fully automated, saving you precious time while you hunt for
those elusive security gaps. Before we dive in, let’s set the stage with an
essential tool for this mission: Axiom. It’s your secret weapon to scale up your
XSS hunting endeavors to unprecedented heights.



For those who may not be well-versed in Axiom, I recommend brushing up on its
capabilities through some preliminary reading. It’s a powerhouse that can
significantly amplify your bug bounty strategies.


THE HUNT BEGINS: GATHERING TARGET SUBDOMAINS

First things first, we need to do our homework. To pinpoint reflected XSS
vulnerabilities, you’ll need a comprehensive list of subdomains. There are a
multitude of tools at your disposal, like amass and subfinder, to compile a
hefty collection. While I won’t delve into the specifics of building this list
here, I’ve previously discussed how Axiom can assist in this task.

Selecting a bug bounty program with a broad scope and numerous apex domains is
wise, as larger companies with sprawling, older infrastructures are more prone
to XSS issues. It’s all about playing the odds and identifying where the
vulnerabilities are most likely to be hiding.

For our example, let’s take “example.com” and gather its subdomains using the
Chaos tool. Remember, you’ll need to configure any necessary API keys to get
started.

chaos -silent -d example.com | tee hostnames.txt


Next, we’ll utilize Axiom to see which of these hosts are alive. Start by
spinning up some instances:

axiom-fleet xss-hunt -i 8


Customize the httpx.json module to scan additional ports and glean more
information, such as status codes and response titles.



Now, let’s proceed with the axiom-scan command for these hosts:

axiom-scan hostnames.txt -m httpx | tee alive.txt



FILTERING SUBDOMAINS FOR A FINER FOCUS

Time to roll up your sleeves and do some manual filtering to conserve those
precious server resources. After rounding up the living hosts, it’s crucial to
sift through them. Bug hunters each have their unique tactics, often using
multiple grep commands to sort by status code and title. Some even employ
blacklists to exclude certain subdomains. Here’s an example of how to filter out
“blog” and “api” subdomains while focusing on those with a 200 status code:

cat alive.txt | grep -vE "blog|api" | grep 200 | awk '{print $1}' >
alive_selected.txt


COLLECTING ENDPOINTS: THE MORE, THE MERRIER

There are several ways to amass endpoints for the chosen hosts, and I advocate
for using a combination of tools to create an extensive list. The greater the
variety of tools, the broader your attack surface.

Method #1: Host crawling Tools like katana and paramspider are made for this.
Here’s how to use katana with Axiom:

axiom-scan alive_selected.txt -m katana -duc -silent -nc -jc -kf -fx -xhr -ef
woff,css,png,svg,jpg,woff2,jpeg,gif,svg | tee -a katana.txt

Method #2: Web archive data Tools such as waybackrobots, waybackurls, gau, and
gauplus can be helpful. I’ll use gau in this instance for its advanced features:



Use the following command to execute the axiom scan with the gau module:

axiom-scan targets-wildcards.txt -m gau | tee -a gau.txt



PREPARING GATHERED ENDPOINTS FOR XSS CHECKS

With our lists in hand, it’s time to refine the data. We want URLs with
parameters, sorted uniquely. Here’s where tools like qsreplace come in handy:

cat gau.txt katana.txt | grep -aiE '^http' | grep -aiE '\?' | qsreplace FUZZ >
fuzzable_urls.txt

Filtering out specific parameters and static endpoints is also a good practice,
which can be tailored to each case.


SCANNING FOR XSS VULNERABILITIES: THE FINAL ASSAULT

Equipped with a list of fuzzable endpoints, you’re ready to commence the XSS
hunt. I prefer using tools like freq, which can be integrated with Axiom. With
your custom payloads, start your scans:

cat filtered_fuzzable_urls.txt | qsreplace "';a=prompt,a()//" > fuzz.tmp &&
axiom-scan fuzz.tmp -m freq | grep -v 'Not'


IN CONCLUSION: YOUR XSS HUNTING JOURNEY

Congratulations! You’re now equipped to take on XSS vulnerabilities at scale.
Remember, the key to success in bug hunting is to inject your unique perspective
and strategies into the process. Stand out, innovate, and keep pushing the
boundaries.

If you’ve found this guide enlightening, I’d be over the moon if you could show
your appreciation with a thunderous round of 50 claps! Feel free to share your
thoughts and experiences in the comments. Your insights enrich our community.

Stay tuned for more tales from the cybersecurity front lines. Until next time,
happy hunting!

Read Entire Article
 1. Homepage
 2. Bug Bounty
 3. The Ultimate Guide to Hunting for XSS Vulnerabilities at Scale



RELATED


CEKLIS WEB PENTESTING UNTUK PEMULA — REGISTRATION FEATURE TESTING


THE CRUCIAL ROLE OF THREAT INTELLIGENCE SHARING IN CYBERSECURITY


THE EVOLVING ROLE OF A SOC ANALYST


OUT-OF-SCOPE, NOT OUT-OF-IMPACT: UNVEILING SIGNIFICANT SENSITIVE INFORMATION
DISCLOSURE


IDEAS FOR TESTING CHECKOUT


BEYOND SIMPLE ALERTS: TECHNIQUES FOR EVADING WAF AND ACHIEVING XSS SUCCESS

TRENDING

1. West Ham vs Man United
2. AQI Delhi
3. Russian
4. Farmer Day
5. Saltburn
6. Inter Miami
7. Kisan Diwas
8. Nirmala Sitharaman
9. NZ vs BAN
10. Prithviraj Sukumaran

POPULAR


1-CLICK RCE IN ELECTRON APPLICATIONS


INSTALL WAYBACKURLS ON KALI LINUX


OVER 40 APPS WITH MORE THAN 100 MILLION INSTALLS FOUND LEAKING AWS KEYS


INSTALL DALFOX ON KALI LINUX


MICROSOFT OFFICE PROFESSIONAL PLUS 2019 (X64 & X86) MULTILINGUAL + PRE-ACTIVATED


‘WE ARE NOT MOTIVATED BY PROFITS’ – OPEN BUG BOUNTY MAINTAINERS ON FINDING A
NICHE IN THE CROWDSOURCED APPSEC MARKET


JUST GOPHER IT: ESCALATING A BLIND SSRF TO RCE FOR $15K


SKETCHUP PRO 2020 V20.2.172 (X64) MULTILINGUAL + PATCH


A QUICK GUIDE TO USING FFUF WITH BURP SUITE


HACKED DATA FOR 69K LIMEVPN USERS UP FOR SALE ON DARK WEB

BOOK THIS SPACE FOR AD

RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) · English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2023. All rights are reserved