March 15, 2018
0

ezXSS: Test Blind Cross Site Scripting

Category : Blog

Blind Cross Site Scripting

Blind cross site scripting (BXSS) is a variation of stored XSS, where the injection point and the execution point are different. It’s harder to find and certainly requires a different methodology than testing for stored (non-blind), reflected, or even DOM-based XSS.

Typically, with stored Blind cross site scripting, the payload is executed on the same page it was injected in.

ezXSS: Test Blind Cross Site Scripting

ezXSS is an easy way to test blind Cross Site Scripting.

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Features of ezXSS:

Easy to use dashboard with statics, payloads, view/share/search reports and more
Payload generator
Instant email alert on the payload
Custom javascript for extra testing
Prevent double payloads from saving or alerting
Share reports with other ezXSS users
Easily manage and view reports in the system
Search for reports in no time
Secure your system account with extra protection (2FA)
The following information is collected on a vulnerable page:
The URL of the page
IP Address
Any page referer (or share referer)
The User-Agent
All Non-HTTP-Only Cookies
Full HTML DOM source of the page
Page origin
Time of execution
its just ez

Required

PHP 5.5 or up
A domain name (consider a short one)
An SSL if you want to test on https websites (consider Cloudflare or Let’s Encrypt for a free SSL)

Blind Cross site Scripting (XSS) Vulnerability Detection

One of the major features that XSS Hunter offers is the ability to find blind XSS. This is a vulnerability where an XSS payload fires in another user’s browser (such as an administrative panel, support system, or logging application) which you cannot “see” (e.g. it does not fire in your browser). XSS Hunter addresses this by recording extensive information about each payload fire in its database.