There are many ways to find parameters where the user input is getting reflected, this is just one such example using Nuclei (DAST). Other methods I discussed are included in the below collection of XSS writeups

XSS Methodology for Bug Hunters

Edit description

medium.com

Beginners want the tools to do everything for them, but I use nuclei to find parameters where the input is getting reflected without sanitization, and from there I try to proceed manually most of the time which also helps to get rid of false positives of fully automated tools. (Semi-automated initial recon to run in the background)

⚠️Before using this make sure to read the guidelines of the program, sometimes it is strictly mentioned that using automated tools is prohibited due to which you might be violating rules even if you are testing for good reasons. Use nuclei with rate-limit for better performance and get rid of overwhelming the server.

📒Template Link location in Kali

/home/kali/.local/nuclei-templates/dast/vulnerabilities/xss


/home/kali/.local/nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml
/home/kali/.local/nuclei-templates/dast/vulnerabilities/xss/dom-xss.yaml

🔗 Github Link (ProjectDiscovery — Nuclei)

nuclei-templates/dast/vulnerabilities/xss/reflected-xss.yaml at main ·…

Community curated list of templates for the nuclei engine to find security vulnerabilities. …

github.com

🔍Nuclei (DAST — XSS)

  • Only 2 templates we are interested in here.
None
Linux Terminal Screenshot by Author

If you don't understand the template, just use ChatGPT. In the beginning days, you might not understand thoroughly, but with experience and time, new ideas will automatically click in your mind!

Prompt: Explain the main logic of the below nuclei template

None
Image Credit: ChatGPT by OpenAI
  • Save your URLs with parameters in any file urls.txt and run the below command, and the output we will get are the parameters where the input is not sanitized and getting reflected.

⚓This is the command that I use for XSS (DAST)

nuclei -l urls.txt -t /home/kali/.local/nuclei-templates/dast/vulnerabilities/xss/ -dast
None
Nuclei output Screenshot by Author

From above we can observe parameter PostCode is a potential area to test for XSS as the HTML tags and quotes are not getting sanitized and converted.

Now perform manual testing🙂

Using Burp to Manually Test for Reflected XSS

Using Burp to Manually Test for Reflected XSS Reflected cross-site scripting vulnerabilities arise when data is copied…

portswigger.net

⛏️Labs with solutions

All labs | Web Security Academy

Mystery lab challenge Try solving a random lab with the title and description hidden. As you'll have no prior knowledge…

portswigger.net

🔗Other Articles you might like:

Easy P3 Bug | LDAP Null Bind leads to extract sensitive credentials

P3 Bug on Bugcrowd

medium.com

RCE in 2 Universities😏

acking universities using RCE exploitso

osintteam.blog

📱Follow me on X and LinkedIn for daily bug-hunting updated tips.

🌐 Subscribe to YT Channel LegionHunter for intermediate to advanced content.

Hunter1: Blind automation without the core understanding.

Hunter2: Automation with a basic fundamental understanding.

Elite Hunter: They develop the automation!