Hello, My name is Taseer Hussain, I’m a security researcher. In this article, I will describe how I found reflected XSS in IDFC Bank using burp-suite Intruder.
Special Note:
Do not leave the testing area without permission. Stay safe and also safe from hackers. Special request to my colleague Bug Bounty Hunter. Take care of your health and always follow the rules of engagement.
Tools used for the exploitation
gau(Corben) — https://github.com/lc/gau
waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls
Burpsuite — https://portswigger.net/burp
XSS mirrored and automated with the burp suite intruder to find multiple XSS in different domains at the same time with parameter fuzzing. I was working on automation and was invited to a new goal.
So while casually browsing and exploring the main domain, I noticed an endpoint where my input was reflected in the HTML tag but all XSS payloads were blocked due to WAF and also all special characters were encoded to restrict XSS.
Story Behind the bug:
This is the write-up of my how I found multiple reflected XSS using burp-suite intruder and automated it to find multiple XSS on different domains with fuzzing parameters at the same time. So while casually browsing and exploring the main domain, I noticed an endpoint where my input was reflected in the HTML tag but all XSS payloads were blocked due to WAF and also all special characters were encoded to restrict XSS.
Here it goes:
Suppose we assume the target name is idfcfirstbank.com where everything is in-scope like this:
In-scope : *.idfcfirstbank.com
To gather all the subdomains from internet archives I have used sub finder, waybackurls tool, and gau.
Command used:
subfinder -d idfcfirstbank.com silent
gau -subs idfcfirstbank.com
waybackurls idfcfirstbank.com
So the chance of missing the subdomain still exist so in order to be ahead of the game I don’t want to miss any subdomain for testing so I used sub finder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.
So the final command will look like this:
gau -subs idfcfirstbank.com | unfurl domains>> vul1.txt
waybackurls idfcfirstbank.com| unfurl domains >> vul2.txt
subfinder -d idfcfirstbank.com -silent >> vul3.txt
Now collecting all subdomains in one and sorting out the duplicates
cat vul1.txt vul2.txt vul3.txt | sort -u >> unique_sub.txt
As, if now I have collected all the unique domains and stored them on “unique_sub.txt”
Now Create a customer word list for fuzzing the parameter:
gau -subs dnb.nl | grep “=” | sed ‘s/..?//’ | sed ‘s/&/\n/’ | sed ‘s/=.//’ >> param1.txt
waybackurls dnb.nl | grep “=” | sed ‘s/..?//’ | sed ‘s/&/\n/’ | sed ‘s/=.//’ | sort -u >> param2.txt
cat param1.txt param2.txt | sort -u >> param.txt
As, if now I have collected all the unique parameters and stored them on “param.txt”
Now I have a unique domain and customer parameter for fuzzing.
NOW the actual Automating reflected XSS with burp-suite Intruder start:
So while playing around with the endpoint on the burp repeater I have across a parameter that was reflecting inside an HTML tag but when I injected the XSS payload it was blocked by WAF and also with encoding the special character which was very hard to bypass.
I tried multiple encoding and decoding techniques to bypass this and also tried multiple WAF bypass payloads and some custom payloads but with no success. It very was hard to bypass the waf and encoding to trigger the XSS as it was on Their main domain.
So, After trying everything I thought why out try the same endpoint on another domain and also check if there will be some other parameter that may be vulnerable, that I might have missed?
Burpsuite Process:
Using This method I was able to multiple reflected XSS using burp-suite intruder. I reported all the issues in a single report and as ALL issues were the same because of the same root cause, so was rewarded once only.
Moral For Story:
Use burp-suite as an automation tool because its unlimited power to offer and also you don’t need programming knowledge for it, just you need to know how to use it.
Takeaway
I’m sure that a lot of security researchers had already seen their process but this is how I approach for found multiple reflected XSS using a burp-suite intruder.
That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit a such vulnerability.
Support me if you like my work! Buy me a coffee. You can also read my other blogs.