+1 (512) 588 6950
Here we are back with another blog.
Today we are going to discuss Effective Param-Hunting to Injections
So recently we have been working on a private project . Let’s call it redacted.com .
Since there were a lot of subdomains, we thought of filtering the subdomains based on the content-length to find domains which offer a large number of functionalities.
So after filtering, we landed on <Sub.redacted.com> which had a login page.
Initially, we were looking for BAC; meanwhile, we noticed that when we enter invalid credentials on the login page, it responds with an error parameter in the url.
So briskly we started to inject XSS payloads to generate an XSS but no luck since we were unable to bypass the filtering.
Soon after we started to test the password reset functionality.
Here we noticed that after entering any invalid email there was no error param generated in the url so we thought of manually adding this param .
To our surprise, the param was actually reflecting.
Again we tried injecting the XSS payloads but WAF was blocking everything.
Finally, we thought of balancing using the </div> tag since the and boom here comes HTML Injection .
We know what you’re thinking, yeah IFRAME did the rest of the work.
Finding Hidden Parameters :
There are a lot of tools like Paramminer , Arjun ,x8 etc that help us in finding hidden parameters but unfortunately in our case, neither tool worked because the parameter might not be present in the default word list.
Active Param Hunting :
Active Param Hunting helps in detecting all the params and generating a custom target specific wordlist .
For Creating a custom wordlist we need to extract all the parameters related to the domain and for this, we will use this beautiful tool getAllParams .
A combination of manual testing and automation will always provide you with better results than blinding using the scripts
3. Now Target -> Sitemap -> Choose the target->Right Click-> Extensions -> Get All Params (GAP)
4. Save all the extracted params in a file
5. You can also gather all the urls using gau , wayback , Katana or any other tool and then extract all the parameters from the extracted urls .
We have written a very basic script which can extract all the parameters from the urls gathered from various tools :
Param-Extract (Yeah lazy script but works also we will update it later)
Alternatively, you can also use the below one-liner to extract the urls using unfurl tool :
cat urls | unfurl format %q | cut -d “=” -f1 | sort -u > params.txt
6. Now merge both the param files and sort -u
7. Once you have created a custom wordlist with all the params you can easily use the Paraminer burp extension to discover the hidden params.
8. Once you have identified the hidden parameters you can test for various injections or other bugs based on the case scenarios.
Happy Hunting !!!!