Automating reflected XSS with burp-suite Intruder

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how i found multiple reflected XSS using burp-suite intruder.

SPECIAL COVID-19 Note:

Don’t go outside without any reason . Stay home be safe and also safe other. Special request to my fellow bug-bounty hunter Take care of your health and get vaccinated.

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

5. Burpsuite — https://portswigger.net/burp

Story Behind the bug:

This is the write-up of my how i found multiple reflected XSS using burp-suite intruder and automated it to find multiple XSS is on different domains with fuzzing parameters at a same time.
I was working some automation and got invite for new for target. So, while casually browsing and exploring the main domain i got were i notice an endpoint where it was reflected my input in HTML tag but it was block all xss payload payload due to waf and also encoding all the special character to limit the xss.

Here it goes:

Suppose we assume the target name is example.com where every thing is in-scope like this:

In-scope : *.xxx.com

To gather all the subdomain from internet archives i have used subfinder , waybackurls tool and gau.

Command used:

subfinder -d xxx.com silent

gau -subs xxx.com

waybackurls xxx.com

So the chance of missing the subdomain still exist so in-order to be ahead of the game I don’t want to miss any subdomain for testing so I used subfinder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.

So the final command will look like this:

gau -subs xxx.com | unfurl domains>> vul1.txt

waybackurls xxx.com | unfurl domains >> vul2.txt

subfinder -d xxx.com -silent >> vul3.txt

Now collecting all subdomain in one and sorting out the duplicates

cat vul1.txt vul2.txt vul3.txt | sort -u >> unique_sub.txt

As, if now i have collect all the unique domain and stored them on “unique_sub.txt

Now Creating customer word-list for fuzzing the parameter:

gau -subs xxx.com | grep “=” | sed ‘s/.*.?//’ | sed ‘s/&/\n/’ | sed ‘s/=.*//’ >> param1.txt

waybackurls xxx.com | grep “=” | sed ‘s/.*.?//’ | sed ‘s/&/\n/’ | sed ‘s/=.*//’ | sort -u >> param2.txt

cat param1.txt param2.txt | sort -u >> param.txt

As, if now i have collect all the unique parameters and stored them on “param.txt”

Now I have unique domain and customer parameter for fuzzing.

NOW the actual Automating reflected XSS with burp-suite Intruder start:

So while playing around the endpoint on burp repeater I have across an parameter was reflecting inside an HTML tag but when i was injected the XSS payload it was blocked by WAF and also with encoding the special character which was very hard to bypass.
I tried multiple encoding and decoding technique to bypass this and also tried multiple WAF bypass payloads and some custom payload but no success. It very was hard to bypass the waf and encoding to trigger the xss as it was on Their main domain.

So, After trying everything I thought why out try the same endpoint on other domain and also check if there will be some other parameter which may be vulnerable, that i might have missed.

Burpsuite Process:

Using This method I was able to multiple reflected XSS using burp-suite intruder. I reported all the issue in single report and as ALL issue were same because of same root cause, so was reward once only.

Moral For Story:

Use burp-suite as automation tools because its unlimited power to offer and also you don’t need an programming knowledge for it, just you need to know how to use it.

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach for found multiple reflected XSS using burp-suite intruder.

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.
LinkedIn Profile: https://www.linkedin.com/in/santoshlegend12tech/

--

--

--

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

This is how India’s “FASTEST GROWING COMPANY” treats ethical hackers for being responsible

Dissecting the Tor browser!

I want a SNOC, a SNOC is all I want

MEXC Research: Analysis of The NYM Network (NYM), a Web 3.0

Email Impersonation Scams

GoDaddy vs Bluehost 2021

3 Cyber Security Tips for Small Business Owners

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Santosh Kumar Sha (@killmongar1996)

Santosh Kumar Sha (@killmongar1996)

Like to hack and break security code and denfense |Security Researcher |pentester | Bugbounty hunter | Pentration tester | CTF player | BUGBOUNTY

More from Medium

Hacking into WordPress themes for CVEs and Fun.

Exploiting File Upload Vulnerability through different techniques

Developer’s mistakes leads to full ATO!

CSRF leads to account takeover in Yahoo!