Professional Documents
Culture Documents
Save
My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this
article, I will be describing how i found multiple reflected XSS using burp-suite
intruder.
1. Subfinder (https://github.com/projectdiscovery/subfinder)
2. httpx (https://github.com/projectdiscovery/httpx)
3. gau(Corben) — https://github.com/lc/gau
4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.
5. Burpsuite — https://portswigger.net/burp
1 of 6 17-08-2022, 14:17
Automating reflected XSS with burp-suite Intruder | by Santosh Kumar ... https://medium.com/@notifybugme/automating-reflected-xss-with-burp-...
and automated it to find multiple XSS is on different domains with fuzzing parameters
Open in app Get started
at a same time.
I was working some automation and got invite for new for target. So, while casually
browsing and exploring the main domain i got were i notice an endpoint where it was
reflected my input in HTML tag but it was block all xss payload payload due to waf and
also encoding all the special character to limit the xss.
Here it goes:
Suppose we assume the target name is example.com where every thing is in-scope like
this:
In-scope : *.xxx.com
To gather all the subdomain from internet archives i have used subfinder , waybackurls
tool and gau.
Command used:
subfinder -d xxx.com silent
waybackurls xxx.com
So the chance of missing the subdomain still exist so in-order to be ahead of the game I
don’t want to miss any subdomain for testing so I used subfinder and pipe to
waybackurls to get all the domain for all the subdomain if exist and save it to a file.
Now collecting all subdomain in one and sorting out the duplicates
2 of 6 17-08-2022, 14:17
Automating reflected XSS with burp-suite Intruder | by Santosh Kumar ... https://medium.com/@notifybugme/automating-reflected-xss-with-burp-...
waybackurls xxx.com | grep “=” | sed ‘s/.*.?//’ | sed ‘s/&/\n/’ | sed ‘s/=.*//’ | sort -u
>> param2.txt
NOW the actual Automating reflected XSS with burp-suite Intruder start:
So while playing around the endpoint on burp repeater I have across an parameter was
reflecting inside an HTML tag but when i was injected the XSS payload it was blocked
by WAF and also with encoding the special character which was very hard to bypass.
I tried multiple encoding and decoding technique to bypass this and also tried multiple
WAF bypass payloads and some custom payload but no success. It very was hard to
bypass the waf and encoding to trigger the xss as it was on Their main domain.
So, After trying everything I thought why out try the same endpoint on other domain
and also check if there will be some other parameter which may be vulnerable, that i
might have missed.
Burpsuite Process:
3 of 6 17-08-2022, 14:17
Automating reflected XSS with burp-suite Intruder | by Santosh Kumar ... https://medium.com/@notifybugme/automating-reflected-xss-with-burp-...
4 of 6 17-08-2022, 14:17
Automating reflected XSS with burp-suite Intruder | by Santosh Kumar ... https://medium.com/@notifybugme/automating-reflected-xss-with-burp-...
Using This method I was able to multiple reflected XSS using burp-suite intruder. I
reported all the issue in single report and as ALL issue were same because of same root
cause, so was reward once only.
5 of 6 17-08-2022, 14:17
Automating reflected XSS with burp-suite Intruder | by Santosh Kumar ... https://medium.com/@notifybugme/automating-reflected-xss-with-burp-...
351 8
Your email
I’m sure that a lot of security researcher had already see there process but this how I
approach for found multiple reflected XSS using burp-suite intruder.
Subscribe
That’s one of the reasons why I wanted to share my experience. also to highlight other
By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our
techniques to exploit such vulnerability.
privacy practices.
6 of 6 17-08-2022, 14:17