Cross-site scripting or XSS vulnerabilities are incredibly common and not to be underestimated. Oftentimes, they can even occur in the dark, in places where you canāt see the result. In this weekās instance of Hacker Tools, weāre going to look at XSSHunter, a tool to help you find blind XSS vulnerabilities by @IAmMandatory.
Tool tip: use @XssHunter by @IAmMandatory and score bounties while you're asleep. š“š°#HackWithIntigriti pic.twitter.com/oVGwDXrzBK
ā Intigriti (@intigriti) June 6, 2019
Letās hear it from the XSSHunter website:
XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.
https://xsshunter.com/features
Weāre going to dissect that quote. There are an incredible amount of web services out there that are vulnerable to cross-site scripting attacks. If youāre unaware of what XSS is, check out our Hackademy!
These XSS vulnerabilities arenāt all the same. Some are reflective, meaning your input is reflected directly onto the page; Others are stored in a database and then shown at a different time; You have DOM-based XSS; But you also have blind XSS. This last type is very often overlooked because it is hard to see the results of your actions, hence being called blind XSS.
Imagine a contact form where you can input a message. This message will be shown to somebody working for the company. If this is vulnerable to XSS, then the support personel might get an alert window pop up on their screen, but you will have no knowledge of it. Thatās the main problem XSSHunter is trying to solve.
When the XSS payload gets triggered, it will request a probe from the XSSHunter service. This will then cause the page to be scanned and information to be sent back to you via email. This way you stay up to date on when and where you XSS fired.
Enough theory, letās set up our own instance!
A hit to our XSSHunter service!
Whilst you can use the XSSHunter website to remotely use this amazing service, it might be beneficial for you to set up your own instance.
Why? Well, hosting things yourself, you have more granular control over the configuration. Additionally, this makes sure that only you can view your results. The notifications you receive via mail donāt end up in your spam folder and you wonāt miss out on some sweet executions of your payload if the XSSHunter website were to go down or get blocked.
Reasons enough to host your instance and others would agree with you, which is why XSSHunter Express was created. Letās talk about setting it up!
XSSHunter Express on Github
One of the things youāre going to need is a place to host your XSSHunter instance. This server then also needs to be accessible through the internet via a domain name. I bought a new domain for this purpose and added an A-record to the DNS to point the subdomain xss to my serverās IP address. The image below shows how that looks.
DNS A record for
xss
subdomain
Ready to continue? Letās clone the repository from Github and go into the newly-created directory.
git clone https://github.com/mandatoryprogrammer/xsshunter-express.git
cd xsshunter-express
Cloning the repository
Thereās only one file we need to edit to configure our instance: docker-compose.yml. Open it in your favorite text editor and letās get to work!
There are only a couple of values you need to change here and they have all been marked in the screenshot below.
Version: For some reason, the repository holds the value 3.9 by default, but docker-compose does not support that version. Therefore, change this value to 3.3.
Hostname: This field should contain the hostname to be used for your service. Note that this should be the same one we configured in the DNS earlier.
SSL contact email: XSSHunter will use LetsEncrypt to generate an SSL certificate to use (and will keep it up to date for us). Enter an email address to be used for this SSL certificate.
The mail settings: XSSHunter will send notifications when one of your payloads was executed. I created a custom mail address for these and set all of the values to that. This way, I have a mailbox dedicated to just XSS vulnerabilities!
docker-compose.yml file
Configuration. Check! Letās start this bad boy up!
This works in two simple steps. One; startup the database. Two; startup XSSHunter.
docker-compose up -d postgresdb
docker-compose up xsshunterexpress
Note that when running this for the first time, itās going to take a while to finish. Thatās because it needs to pull a couple of Docker images, along with creating and building a new container. Give it some time, grab a coffee or do some hunting on intigriti in the meanwhile!
After it has finished, you will see an attention message as shown in the image below. Take note of the password being generated (Write it down, save it in your password manager). And no, I didnāt forget to blur out the password in this image. By the time you can read this, the instance is long gone! (Because I knew some of you were going to try it).
Attention message XSSHunter
Is that it? Yes, thatās it. Letās go to https://your.domain.name/admin and log in!
Login screen
Now itās time to have some fun. In the next paragraph, weāre going to be using XSSHunter to perform a very simple attack!
Time to see if everything works. Letās do this using a simple XSS lab. On this page, we have a search engine thatās vulnerable to XSS.
Vulnerable XSS lab
Letās exploit this lab! We need a payload and XSSHunter can help us with that. This list is great if you quickly need to get up and running, however, nothing is stopping you from getting creative and creating your own for more nuanced situations. In this case, weāll be fine just copying the basic payload.
XSS payloads page
Paste your payload into the lab and search.
After exploitation
You will now notice that you have received an email telling you your XSS payload triggered! On your admin panel, you will also be able to see the details of the successful XSS exploitation!
Notification email
XSS payload fire report
XSSHunter is a powerful service that will help you find some crazy blind XSS.
If you would like to recommend a tool for us to cover next week, then be sure to let us know down below. Also be sure to check outĀ all the previous Hacker Tools articles, such asĀ the last one on Ciphey.
Did you know that there is a video accompanying this article? Check outĀ the playlist!
