Greeting Everyone ! Today in this blog We are going to see how To Do automating stuff to Find Our xss On Your targeted domain which easily possible to find Out XSS against Your Targeted Website. We are going to utilize using tools call Waybackurls , dalfox which make our Work More easy .
Automating Stuff is always fun to encounter Exploits, Vulnerability why Not XSS. All you need to Install Waybackurls & dalfox .See our previous Blog What is XSS.
Why Waybackurls & dalfox?
Waybackurls: Accept line-delimited domains on stdin, fetch known URLs from the Wayback Machine for *.domain and output them on stdout. It will Help you to extract all the possible Urls from Our targeted website which may vulnerable or exploitable .
Dalfox: DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parser. supports friendly Pipeline, CI/CD and testing of different types of XSS. It will also give you Proper result against XSS, Open redirect, SQLI & SSTI.
Workflow :-
Waybackurls: To Install Waybackurl:
- go get github.com/tomnomnom/waybackurls
- Cd go/bin
- mv waybackurls /usr/local/bin/
Fetch all urls using waybackurl , here I we will go through if we need to lookup some particular parameter we will utilize tool:
- echo “google.com” | waybackurls |tee output.txt | grep -iE “url=”
As above command we use echo to deploy our target waybackurls our tool, tee refer as output we want o save grep we use for regex that we need particular endpoint parameter it will filter “url=”.
Now run waybackurls without regex :
- echo “domain.com” | waybackurls | tee output.txt
- cat output.txt
As above we used Cat command to read output file :
Now, Utilize dalfox to find out XSS here we need to install dalfox
- go get -u github.com/hahwul/dalfox
- cd /go/bin/
- mv dalfox /usr/local/bin
Usage of dalfox ,
- dalfox -h
-h we can check help with different flags we can utilize dalfox, now to find out xss
-> dalfox file output.txt -b hahwul.xss.ht
As above Output we see xss Triggered so we can simply verify by browsing url ,
Now, we successfully verified XSS with combined two tool which we can easily encounter XSS I hope that this blog post helped you to have a greater understanding of what Cross-Site Scripting(our previous blog ) is we can easily use some tools that make our testing phase more easy.
Prevention Against XSS:
- Attribute Encode Before Inserting Untrusted Data into HTML Common Attributes
- JavaScript Encode Before Inserting Untrusted Data into JavaScript Data Values
- HTML Encode JSON values in an HTML context and read the data with JSON.parse
Thanks For Reading……. See You In Another Blog!
Stick With Our Blog : https://securiumsolutions.com/
Author : Pallab Jyoti Borah | VAPT Analyst
