How I found reflected XSS on IDFC Bank with burp-suite Intruder

Hi, everyone

My name is Santosh Kumar Sha, I’m a Security Researcher/Ethical Hacker from India(Assam). In this article, I will be Describing How I found reflected XSS on IDFC Bank with burp-suite Intruder.

I am now offering 1:1 sessions to share my knowledge and expertise:

topmate.io/santosh_kumar_sha

SPECIAL Note:

Don’t go outside test scope without any permission. Stay safe and also hack safe . Special request to my fellow bug-bounty hunter Take care of your health and always abide the rule of engagement.

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

5. Burpsuite — https://portswigger.net/burp

Story Behind the bug:

This is the write-up of my how i found multiple reflected XSS using burp-suite intruder and automated it to find multiple XSS is on different domains with fuzzing parameters at a same time.
I was working some automation and got invite for new for target. So, while casually browsing and exploring the main domain i got were i notice an endpoint where it was…