xss or cross-site scripting is still one of the most common found vulnerabilities across bug bounding platforms or bug bounding programs in general and today I want to show you how I exactly look for them and hopefully it helps you with the 5we program if you're not familiar with the 5we program then let me introduce you to our program that we have launched starting last week in this next five week I'm helping you guys find your first vulnerability and within that group of people one person is going to to come on my next pentest and help me do a pentest that I'm going to be on and kind of Shadow me learn from me and also get paid while working with me at the same time the whole purpose of this is to find the next talent that could help me and it's my first time doing this program so stick around give me some feedback and hopefully we can get you your first bug as well all right let's jump into xss and talk about what is cross scripting in general if you're not familiar with cross scripting it's when you're allowed to insert JavaScript within a website whether it stores that data and shows it back to them or or if it's reflected because it's in the URL itself which I will show you in just a sec in either case it is allowing you to inject malicious JavaScript code within that website and you can kind of control the browser's behavior in the context of that specific Target so for example if you inject a cite scripting payload and a website like Amazon you can potentially take over their account you can make them shop and buy Whatever item you want them to and that kind of stuff is what you can do the the account takeover part of it could mean a lot of different things sometimes you can hijack their entire cookie and you can log in as them sometimes you can hijack a API key for example and log in as them and there are other tricks that you can do but in general the xss thing at the root of it it is all the same it's just finding an HTML tag you can inject then escalating that to JavaScript and then reporting that to a bug bounding program a VDP or even if you're on a pentest you can report as a finding on your pentest before we jump into our demo let me explain how JavaScript in the context of xss works so for example when I say I want you to look for HTML injection first all you have to do is do something similar to this which says Hey I want to insert a H1 tag it could be an underline it could be a image whatever you want to do but I always start with a simple HTML payload that says just test one 2 3 and then I'm going to show you how to look for that uh in The Next Step but this is what I usually use and then if that actually renders and if it underlines and comes back with something like this for example on the page then you kind of know that hey this reflects and it's also rendering that HTML and there's there might be some sort of vulnerability here so next what you want to do is you want to introduce what is called an event handler which is where you tell an on a specific event you want it to call out a JavaScript function so for example we can say hey I want you to do the same underline but now I want you to say on Mouse over I want you to call this function called alert and I want you to alert with the popup number one and then we close that out and we say test one 2 3 and and what happens is when you pass this the application is going to give us the same thing right here with the test one two 3 but when you hover over it because you said on Mouse over alert one it's going to pop up with an alert so it's the same thing when you do a image source equals X and you say on error equals alert one the reason why that works is because this x doesn't exist there's going to be an error with that image and it's going to call alert for that specific reason so you can also do other functions you can do something like uh confirm for for example uh you can do import if you want to import your own JavaScript code so you can say import mysite.com W.J or you can put them in quotation marks as well and you can put that on error right here so every time there is an error it's going to call out to your Java Script file and it's going to execute whatever is inside of it so in one. JS you can put something like alert one or if you're more advanced you can put your xss payload or your blind xss payload within it and call it every time so I want to make sure I cover that so you kind of understand how JavaScript works works and why these event handlers work before you jump into cross scripting itself now let's jump into our example and as always you can follow along by going to hacking hub.io just look for my 5we program Hub in there go to xss and we're going to launch it give it a sec it's going to come back with a URL and you're going to click Start it's going to bring us to this website you are going to need kaido more than likely honestly it doesn't matter what tool you use you can use zap you can use bur Community or you can just do kaido actually the version of kaido I'm using is a free version but here we are we're going to activate our burp sued it is already active and it's going to intercept it whenever we need it to but the first thing we want to do is we kind of want to look around this website I'm sure there's going to be a lot of xss in this one but I'm going to cover a few of them and show you how I look for them specifically the number one thing you want to do obviously is you want to click on all these different URLs and see if it does anything and if it takes a different page and if that page actually has any functionality this one doesn't the next one is going to be going to the next page which is going to add the page ID to and usually every parameter you see in a URL is a great place to test for xss so what you want to do is you want to put in a test one two three for whatever parameter you want to test for and we're going to send this exact request and see if test one 123 actually reflects or gets shown anywhere in the page and as we do a command F and do a test one23 search nothing shows up the next thing you want to do is you want to either go to the source you want to go to view page Source honestly it's if you do inspect you get more data because of the Dom in there so I'm going to open up inspect and I'm going to look for the same exact thing which is test one 2 3 and we can see that it's being reflected within the Dom within the script tag so the first thing you want to do is and this is the reason why I tell everybody to stay away from just copy pasting payloads is because if you copy paste a payload for example let's do something like an image source equals x on error equals alert one if we send this even even though it is a valid EXs payload it is not going to pop up because we are in a context of a script you always want to see where your test reflects and kind of play around with it and get out of that context before you include some JavaScript in this case we're on a script tag sometimes you're going to be in a text format so it's a text area sometimes it might be in a title all of those it's the same if you give it a valid HTML payload or an xss payload is not going to fire so what we're going to do here is we're going to see that we're in a script tag we need to close the script tag and in HTML all you have to do is do the same tag and put a closing bracket against it so we're going to do a script and then we're going to test put our test 1 2 3 and see if it changed anything on the page it looks like now we have broken out of the HTML and at the bottom of the page we actually have some stuff that has leaked because we've closed out the script tag and the browser doesn't know what to do with the leftovers so what we're going to do here is we're going to go back to our test one 123 here and we're just going to add whatever payload we want whether it's image Source whether want to do a xss and so on and as you can see right there it pops up with our alert and the only reason why this works is because we looked into the Dom and we saw that we are in a script tag in we want to close that out you also have the capability of not having to actually close a script tag so if we look at test one 12 3 again sometimes you may not be able to close a script tag and all you have to do is just close that parameter so we're going to say hey I want to say two and then we look right here we can see that this two right here is having an extra apostrophe and then the rest of it and this is not a valid JavaScript but what we want to do is now that we have closed it out we can comment the rest of it out so and if we look for it again we can oh let's do test one two 3 at the end of this just so we are we know where to look for it if we look for test 1 2 3 we can see that now we have valid JavaScript we've closed the past parameter but now we want to introduce a JavaScript alert into this and let me type this in really quickly right here what we're going to do is since we've already closed the apostrophe right here that's what we've inserted then we have our semic column that's what it is then we're going to give it a plus and then whatever function we want to call in this case we want to call alert one by doing that it works alert one works out now what we want to do is we want to also take a look at all the different variables that may be called in here there's also this thing called referrer which has an empty value and you can see page ID is pretty much what we have put up here that is reflecting in their source and a lot of times what I want to do when I do a test and I see something empty like that right under another variable or parameter that was used I always want to just check it out I'm going to put in referrer and then do a maybe we can do just a five we program one two three for this one let's try it one more time we can ignore the alert we can actually remove it so it's not a noing us anymore we're going to send that out and then we're going to do w123 nothing comes up so you can see in this one maybe referral doesn't work actually looks like we have a typo so let's do one R it's really important to make sure you actually do this properly we're going to do 1 two 3 test 1 two 3 there we go now we can see right here underneath the referrer even though we didn't see it on the page it was not mentioned to us we can see it exists under our JavaScript right here it says referrer we put the same thing in there which Tri some value for it and we look it up it reflects the concept is the same thing we can just do a script or we can just do uh close that one out and say close that one out and then do an alert 1 2 3 and then seeing if that works as well let's see what didn't work I forgot a semicolon so let me just put that in there and let's see what calls it this time it's also really important to actually comment out all of the rest of this JavaScript that is not going to be valid because the browser is going to look at it and go well what am I supposed to do with the rest of this so what we're going to do is we're going to just comment that out out as well and now we can see alert 1 2 3 work so that's a really good place to start with cross ey scripting you always want to just do your first Value First see what context you're in and then go from there the second thing is you also want to look at all the other fields that are presented to you within a web page so for example one of my favorite things to look at a lot of times is customization and a lot of times people miss this because they're not really actually uh looking at it properly so what we're going to do in this case is we're going to s the update settings we're going to do the same thing we're going to say I'm just going to assume we're in some quotation close the HTML tag and start our underline and update settings it's going to come back and obviously nothing works and we're going to look this up and if we click right here and do edit HTML we can see that our quote right here was properly sanitized so it doesn't let us actually do exsist then this may not be vulnerable and right here if we try to do some additional values and save it it doesn't work it's not taking that because there's some sort of a test but here's where it gets interesting just because on your browser itself you are not allowed to enter some sort of a value it doesn't mean that it's not vulnerable a lot of times what I see is if I put even an HTML code right here at the bottom of the box it says hey no special characters are allowed a lot of times people give up right there and what I what I recommend a lot of times is to go in here and actually remove it uh and put it in the post request so what I'm going to do here I'm going to go back to kaido I'm going to start doing our queuing I'm going to send this request and we can see it's sending a request to settings I'm going to send it to my repeater and we're going to stop queuing this go to replay and right here we're going to see what we have so for this first one we know we can put special characters in but it's not vulnerable but what's really cool is that there's styling in here that we can actually mess with and if you're not familiar with CSS CSS usually starts with a sty so if I actually copy this and go back back in here and look for this code you can see that it is being under a style tag and it's written right there so what happens if we actually do this manually and put it in our request and say Hey I want to close style and I want to add test one 2 3 let's send this and it it will save we're going to go back to this page and reloaded it and at the top right here you can see that there is some text that's hidden it's kind of not visible but it's leaking the remainder of the JavaScript starting with test 1 2 3 because we told it to close style and then add a test one two 3 that is vulnerable so it's leaking everything so what you want to do in this case is this is why I say context is very very important what you want to do here is you want to insert your script alert whatever you want to use whatever payload you want to use you can put it in there and as we refresh I'm willing to guarantee you that this is going to work there we go this one worked so there it is there's different ways you can look for cross scripting there's not always just based on the input that you can see see and just because you see an error doesn't mean that you have to stop so if there's a client base check you want to make sure there's a way that you look at it you can go kind of burp kaido or zap and pass it through your proxy and see if you can actually bypass those restrictions all right I think this is a very good start for us to our first week with the five week program this is week one so congrats you've made it to the beginning of week one what I have for you now is go to Discord if you want to also stream while you do this more than welcome to do it but go to Discord look at the list of targets that we have created for this five weeks pick a Target go after an application that looks really cool maybe you're interested in or it's you know large enough for your test look at every single one of those parameters every single input field that you can see right here for example every blog title every background color every signature anything that you can put a text that is going to get represented to you and test it out for HTML and then escalate it to cross scripting and bonus points if you find HTML injection I already know that somebody on our Discord found a exsist that they couldn't escalate it was just HTML injection and they had some issues to escalate it they sent it to me and I was able to help them so if you do find an HTML injection drop it in the Discord send me a DM and let me take a look and maybe I can show you how to bypass it or export and escalate it all right that's it make sure you guys are on Discord and make sure if you haven't already hit that subscribe button like this video let's get this video into 1,000 likes and I will drop another brand new video for the second week all right that's it see you guys next week [Music] peace