• Blind XSS-> Type of stored XSS. (Payload gets stored on a web page)
• Where do you find them? - In places you cannot access.
> An admin panel
> A log history restricted to admins
> A feedback form that goes straight to the admin
> A chat bot message to the support team
• Where do you put the payloads?
> In headers (eg: in Referer and User-Agent headers while filling forms)
> Put the payload in your username and self-report yourself ;)
• But how will you know if the payload actually fires?
> XSShunter!
During the investigation of the campaign, researchers found that the attackers employed the extensive use of both dual-use and living-off-the-land tools. Also, some of the indications say that APT hackers initially attacked and exploited the publicly facing systems and further
moved to the victim’s networks.
There are several publicly available tools of the following have been used in this attack:-
• AdFind – A publicly available tool that is used to query Active Directory.
• Winmail – Can open winmail.dat files.
1. Dehashed—View leaked credentials. 2. SecurityTrails—Extensive DNS data. 3. DorkSearch—Really fast Google dorking. 4. ExploitDB—Archive of various exploits.
5. ZoomEye—Gather information about targets. 6. Pulsedive—Search for threat intelligence. 7. GrayHatWarefare—Search public S3 buckets. 8. PolySwarm—Scan files and URLs for threats. 9. Fofa—Search for various threat intelligence. 10. LeakIX—Search publicly indexed information.
11. DNSDumpster—Search for DNS records quickly. 13. FullHunt—Search and discovery attack surfaces. 14. AlienVault—Extensive threat intelligence feed. 12. ONYPHE—Collects cyber-threat intelligence data. 15. Grep App—Search across a half million git repos.