So today ill tell some techniques of testing XSS, First of all these important things you should note:
- Copy pasting XSS payloads doesn’t work
- PoC or GTFO
Its said like report checkers need a proper PoC for validation of the report, If doesn’t, Your report cannot be triaged.
So first, For testing XSS you need parameters to insert your payloads in, To do that i have found a really helpful linux software which spiders all the parameters in the site and messages them to the server in discord, You need to connect a discord webhook (Hope your familiar with that) to the app, Here is the software: https://github.com/mikey96/reflection-public
So, After you find all the parameters which get your input reflected, Its time to hunt for your XSS, Remember that automating XSS isn’t a really good idea because why the company had to create a bug bounty program if they can just automate them their selves, So they need special techniques for that, Now lets get on our payload creation.
For payload creation, You need to first check what tags are getting injected. To do that so don’t copy paste payloads, In the search box or reflective parameter in the URL, Insert tags like <img> without any input, For ex:
<img></img> If the tags are getting injected (To check if theyre getting injected its simple if there is nothing in the place that should be the user input, Like Results for (null), My favorite tags for testing are: img, a, iframe, svg and script. Its because they likely work on the website i test.
Now after you get a reflection with null result, Its time to hunt for XSS. You can find payloads from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet, Copy one of the payloads that works on all browsers and try to inject it, If it gets injected then you have a nice Reflected XSS Found.
BUT, If your script doesn’t get injected, Its time to go advanced, Inspect the element, Select the object and see WHATS getting injected. If you find a specific tag like
<>, You can try URL Encoding these characters. URL Encoding is a basic technique of encoding a specific character which gets decoded systematically. This can help you.
Second technique is that try replacing
x, Because if Encoding
= doesn’t work it can be marked as x as that simply works.
That were some of my techniques that i use while testing, Hope you find a good XSS, Good Luck!