I understand HTML, CSS some PHP and JS so I figured XSS was the way to go. I’m currently a programmer and have been getting into Bug Hunting. Everywhere i go people state XSS is the easiest vuln to find, but when I look more into it XSS and CSP seem to have almost eradicated reflected XSS. Is there a X-XSS or CSP I can get to practice against or resources available?
Few additional questions while I’m here:
is running a port scanner or any automated scanner on a website frowned upon and wouldnt it be stopped by a firewall or IDT?
when using Burp Intruder to brute force passwords wouldn’t my IP get black listed after so many attempts? (I do have IP Vanish)
I feel like there are so many methods in catching the signatures of the common tools that unless you have a very in depth knowledge on how the detection systems work you will get no where. is there resources to practice against updated, well put together firewalls, X-XSS, CSP and IDT systems.logic?
Sorry for the novel just feeling overwhelmed tying to find my first bug
Disclaimer: I’m a beginner too, but with less experience with the Internet.
It is my understanding that a big difference between pentest and bug bounty is that our targets are usually fully deployed, and the target owners don’t want us doing anything to degrade service. I believe that eliminates most or all automation (i.e. scanners, fuzzers, etc).
Another difference is that pentesters need a broad base of knowledge, whereas we can specialize (e.g. XSS). It’s always easier to break things.
I have seen reflected XSS show up in bug reports, so I know they are out there. From my reading, it appears that XSS will be with us for a while. Finding them will likely get harder and require more expertise over time.
Good luck! [Rich]
haha, good luck with that. I disagree. It depends.
Aside from that, look at what the people making a lot of money from bounties find and you will notice that they couldn’t care less about XSS. You didn’t ask for advice, but I will say: learn a lot about vulnerabilities that pay a lot.
You mentioned that you are a programmer, which means that for you, finding and exploiting an XSS, may be easier than for someone else. So, don’t focus on XSS because if there is one you will probably notice it.
About scanners and “invasive” tools: most policies say “don’t run scanners”, but I know that people run scanners anyway. I don’t do it, but I think that there is nothing bad about it if the program doesn’t put it out of scope.
Welcome and yes xss is an easy to find and is also the one of toughest bug to find because of everyone is so well aware of xss and there is alot of prevention for xss these days like filters/waf etc. but in the end developers are human too they make mistakes too. let me give you an example of this, i was hunting on this program and there is xss filters everywhere but then there is an optional field which dont have any xss filters and i got an easy xss with a simple payload. But bypassing filters/wafs need way more time and knowledge.
In the end it will boil down to your knowledge and experience. if you understand js,html,php well then i would recommend you to make a vulnerable xss page for your self then try to patch it and then break it and do this again and again in different ways, use different methods.
as @stefanofinding said, learn about other vulns too. you dont go into the war with only one weapon
Good luck and feel free to ask if you have any other question.