Find answers, ask questions, and connect with our
welcoming community.

Home Page Forums General Discussions XSS Scanners ?

  • XSS Scanners ?

    Posted by Anthony on June 11, 2021 at 1:27 pm

    Hello everyone what are your thoughts on scanners that specialize in hunting for XSS all of them claim to be the best. But after using a few i can tell you that is far from true, it seems that they can’t get past these WAFs. Here is a list of scanners i have used in my ongoing pursuit in finding my first vulnerability.

    – XSpear

    – XSStrike

    – XSSer

    – XSShunter

    – KNOXSS

    I don’t know whether i test manually or use automation, nothing seems to go right, i am taking a step back and wondering if its worth it anymore to find XSS. Should i focus on vulnerabilities like SQL Injection and or Command Injection. It has been 12 solid months and nothing so far what am i doing wrong am i just not cut out for this or is it only a matter of time before i strike gold. It seems to say that most XSS has been found already at this point and most companies have gotten smarter in filtering these vulnerabilities out.

    Any advice would be helpful, thank you.

    Anthony replied 1 year, 5 months ago 2 Members · 2 Replies
  • 2 Replies
  • Christophe

    Administrator
    June 15, 2021 at 3:26 pm

    I’m not sure for all of the others, but I do know that XSStrike does have WAF detection and evasion capability. Doesn’t mean it will always be successful, but it’s at least a start. Once you know what WAF is sitting in front of the application, you can 1) research its weaknesses, and 2) try different payloads and see what gets blocked and what makes it through…then go from there, iterating until something works. This is a time-consuming process unless you get lucky.

    From personal experience, I’d say finding XSS is going to be more likely than SQL injection and command injection, at least for bug bounty programs. XSS consistently comes out on top in HackerOne’s list of top 10 vulnerability bounty awards. That doesn’t mean that will always be the case, but it has been for at least the last couple of years. So while it might be true that organizations are getting better and better at preventing XSS (which is great), the data shows that there is still a long way to go.

    The other thing is that most public programs have already had a lot of eyeballs on them by the time they become public. A lot of programs start out as private, invite-only, and later on (months or years later) sometimes become public. So finding easy vulnerabilities in public programs is going to be difficult unless you jump on the program as soon as it comes out. With that said, hackers are lazy and a lot of them will move on to a different program after checking for low-hanging fruit. Use that to your advantage – sign up for the free tier (or maybe even pay for an account if it’s not too much $) and access portals/endpoints that likely didn’t get anywhere near as much attention as the public marketing website would have. Thinking from a developer’s mindset, that’s also probably where less care was taken for security. “Only customers will access this, and why would customers try to hack us/their own data?” This is a very common mindset, and I’ve heard many variations of that said over the past few years. Use that to your advantage.

    With all of that said, I’d encourage you to take a step back for a moment: bug bounty hunting is hard. It takes a serious amount of time and commitment for most to make headway. Given the time limitations you’ve mentioned in other posts and what looks like a growing frustration, maybe you should take a break from it for a little bit and come back later. Even some of the more popular bounty hunters openly talk about needing to take breaks (months at a time) in between programs. In my opinion, it should be a fun experience. Sure, it will cause frustration, but overall you should be enjoying the hunt of it and overcoming roadblocks and challenges. When it starts deviating from that, I think that’s when it’s time to take a break.

  • Anthony

    Member
    June 15, 2021 at 4:58 pm

    Thank you so much for the words of wisdom Chris, as a former programmer and data scientist this is 10x harder, honestly. Yes i do take breaks due to family and other obligations to clear my head and relieve some stress working out etc. But i do believe i will strike gold one day with enough time and persistence. Your programs are gold and are a lot better than what i have seen so far on the world of ethical hacking, most are all over the place. Yours are straight to the point without it being boring, and i like that.