Self XSS to Stored XSS
If you find jsp page with no parameters. You can actually add path parameters using semicolon Like this http://example.com/test.jsp ;');alert(1)// & perform XSS. Apache tomcat support this. #Bugbountytip #BugBounty #XSS
Bug bounty tip: put a blind XSS payload in your user agent before you fill in a contact form. ;-)
bugbounty #bugbountytip #bugbountytips Sometimes user input is reflected into a value without any quotations. Eg: Just add a space and you can now inject onfocus=alert(0) autofocus for XSS! Works even against htmlspecialchars().
An useful XSS filter bypass technique I use when everything is not working is to take the closing tag off eg. hhh<img src="#" onmouseenter="prompt('XSS')" gggg
Testing a shopping site; Try the XSS payload in order ID parameter once you order an item rather than just an IDOR. They forget to sanitize there coz they are meant to be just numbers ;) #bugbountyTips #XSS
While looking on .js files, try identify the weak places in code. Like, innerHTML indicates there might be XSS.
If you find jsp page with no parameters. You can actually add path parameters using semicolon Like this http://example.com/test.jsp ;');alert(1)// & perform XSS. Apache tomcat support this.
tip for blind xss :- inject bxss payloads in appstore/play store’s app reviews. Many times companies uses third party app review analysis apps. Payload can get trigger on the third party app which can give you access to some sensitive information.
#bugbountytip You can turn an input box into automatic #XSS by setting agnostic payload on the "onfocus" attribute and then setting it to "autofocus". Eg: <input onfocus="alert(0);" autofocus> This will result in automatic XSS (no user interaction).
Use <svg onload=alert(1)> payload as file extension. When extension reflects in html. Sometime developers validate filename and forgot to validate extension.
Split your XSS payload into two like for ex. FName: <img src=x & LName: onerror=prompt(0);> sometimes you will end getting Stored XSS.
#bugbounty tip: to demonstrate XSS impact, don't use alert('alert'). Determine whether session is stored in cookies or local storage and put that in the popup. cookie: alert(document.cookie) LocalStorage: alert(localStorage.getItem('access_token'))
Target[.]com/index.php?xss=<a href=x onfocus=alert(23) name=jj>
I found an endpoint without extension and parameters. response was json. added .html and a parameter with xss payload, resulted in html with xss try it. #bugbounty
When testing for reflected XSS, ignore the "Accept Cookie" pop-up (don't dismiss it or accept it, just ignore it). The pop-up's code might reflect the URL in the source code