Ode To Blind XSS


TL;DR – I re-invented the wheel with bXSS.

This idea started when I attended Mario Heiderich’s Exploiting Websites training at AppSec Europe, which is an absolutely fantastic training, you should check it out. Mario mentioned that his company cure53 have a simple payload that they use for Blind Cross-Site-Scripting (XSS) https://cure53.de/m which I figured would be very useful to utilize for things like bug bounties.

Blind XSS

So, what is Blind XSS Anyways?

Blind XSS is what we call persisted/stored XSS which saves in some storage, such as a database and is executed when a ‘victim’ visits that page and the payload is rendered in the Document Object Model (DOM). The reason why it’s classed as blind is because it normally happens on functionality not normally exposed to a user, such as:

  • Log viewers
  • Customer service portals
  • Application functionality which requires a higher level of privilege

If you think about it in general terms, when testing for Reflected or Stored XSS, the general payload would be something along the lines of:

More: https://lewisardern.github.io/2017/12/10/blind-xss/