SECRY – XSS Using Oneliner – Hello SECRY readers! Have you ever thought that recon and manually checking for specific vulnerabilities can be exhausting and sometimes a huge waste of time?
Well, that’s why I want to share a one-liner command for scanning, but this time, it’s for XSS.
Here’s the one-liner:
waybackurls example.com | grep '=' | qsreplace "<h1>KOESOPOKOE</h1>" > result.txt ; cat result.txt | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<h1>KOESOPOKOE</h1>" && echo -e "$host \033[0;32mVulnerable\033[0m" || echo -e "$host \033[0;31mNot Vulnerable\033[0m"; done
This one-liner command was originally obtained from Xploit Lab, but I made some slight modifications to it because there were some issues when I used the Xploit Lab version of the script command
However, these commands won’t work if you haven’t installed waybackurls and qsreplace. Before proceeding, make sure you’ve installed QSReplace and waybackurls. I happen to be running this on WSL (Windows Subsystem for Linux) with Ubuntu as the operating system.
What is waybackurls?
waybackurls is a tool that accepts line-delimited domain names via standard input (stdin) and retrieves known URLs from the Wayback Machine for each `*.domain`. It then outputs these archived URLs to standard output (stdout). This tool is valuable for enumerating historical web page versions associated with a given domain, helping security professionals and researchers discover potentially hidden or forgotten content on websites.
Here’s a simple way to install waybackurls (text-based tutorial):
- Ensure that Golang is downloaded or installed on your laptop/computer/VPS. If not, you can install it by following the tutorial here: Golang Installation.
go install github.com/tomnomnom/waybackurls@latest.
export PATH="$PATH:$HOME/go/bin"to your
.bashrcfile in your system.
What is qsreplace?
qsreplace is a tool that takes URLs via standard input (stdin) and is used to replace all the values in the query string with user-supplied values. However, what sets
qsreplace apart is that it will only output each unique combination of query string parameters once for each host and path.
In other words,
qsreplace allows you to substitute values in URLs with the values you specify, but it produces only one output for each unique combination of query string parameters for each different host and path. This is particularly useful in security testing and ethical hacking, as it enables you to run a series of test cases with variations in query string parameter values without generating excessive output.
For a simple installation of qsreplace (text-based tutorial):
- In my WSL setup, it was sufficient to run
go install github.com/tomnomnom/qsreplace@latest, and it was installed directly.
Note: Regarding the installation process, it’s possible that some errors or issues may occur on certain devices. As a bug hunter, it’s essential to be diligent in using Google to find solutions.
That’s it for my short tutorial. Stay tuned for more bug bounty tips on secry.me.