Hi guys, So I would like to start this blog with a question, What was the first vulnerability you learnt when you began into Cyber Security??
Mine was XSS, though it took pretty long for me to find it but yeah! I finally found it ¯\_(ツ)_/¯
I got an invitation to a private program on HackerOne. It almost had more than 600+ reports already reported with just 4 assets. Damn will I find anythin’??
I still began with my normal reconnaissance and started playing with the application. No luck here!
Now, I then started mining the parameters. HOW? here you go
Finds parameters from web archives of the entered domain. Finds parameters from subdomains as well. Gives support to…
HTTP Parameter Discovery Suite Web applications use parameters (or queries) to accept user input, take the following…
hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application.
also you can use “Waybackurls | gau” to find parameters. These are some great tips I have used soo far and the results were amazing ¯\_(ツ)_/¯
With all the list of Parameters, I started fuzzing and fuzzing with a thought, I’ll get something interesting (Positive Vibes) and Voila!! I found one parameter which did not have many filters. First I sent it to some XSS scanner tools because It’s the first time I running for an XSS.
Most advanced XSS scanner. Contribute to s0md3v/XSStrike development by creating an account on GitHub.
Just, XSS Scanning and Parameter Analysis tool. I previously developed XSpear, a ruby-based XSS tool, and this time, a…
And I got positive results, I found csrfToken lying out there for me lol :P
So I started exploring how to get the POP-UP
And later that day. I reported my First XSS on HackerOne.
“Old program, many reports, and many such things” don’t let it bother you. Always try to find more and more parameters and Fuzz them ALL :D
That’s all for this blog. Hope you liked it.
If you enjoyed this blog, please click the 👏 button and share it to help others find it.