KNOXSS for Dummies! A new Detailed Guide to use KNOXSS Pro in real world

Just “XSS” it

Hello to all my brothers and friends.

First i would like to thank @knowledge_2014 (ak1t4 z3n) for his support and @IfrahIman_ (Ifrah Iman) for helping to write this article.

My name is Emad Shanab from Egypt. I am a lawyer by occupation but I love to find bugs in websites as a hobby.

“Every Law has its own Bugs” — Me

When it comes to website vulnerabilities, one of the most common vulnerability is Cross Site Scripting. And thats what I find the most. But these days when there are numerous protections for cross site scripting bugs and different kinds of WAF protecting the site from it, it gets sometimes a little bit difficult to find. (We are not talking about to paste alert(1) in search box)

One year back my Friend @brutelogic XSS Jedi released a master piece called “KNOXSS”. Even though its still in its Beta release but it has gone through so many good changes and hopefully stable one be Much better.

So what is KNOXSS ? KNOXSS is an online XSS discovery tool, Its way different than XSS finding scripts as it is based on its own server. Using it is very simple and it directly bypasses the WAF by uses tons of Brute’s custom payloads & directly gives us the POC link.

KNOXSS helped me achieve bugs like:

1:- XSS in UBER — 500$ bounty -HOF

2:- XSS in Adobe 2 XSS -HOF

3:- XSS in private sites — bounty -HOF

4:- More than 700 XSS report in openbugbounty platform -bounty-HOF

And many more !

So this “KNOXSS for Dummies” will guide you to use KNOXSS pro version properly.

There are two ways to test for XSS in website with KNOXSS:

1:- Use KNOXSS to find XSS on current page’s domain (by extension)

Example to bypass CloudFlare WAF:

http://ecoplusfuneraire-saintlo.com/

2:- Or using KNOXSS Pro Interface and entering a URL endpoint or domain

Example:

https://www.asus.com/uk/search/results.aspx?SearchKey=xs&SearchType=Shop

All these Examples reported to company via openbugbounty platform and to asus.com via email.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

KNOXSS is a genius tool as I believe it doesn’t only scans the URL, but gets more endpoints by the source code, making automatic post requests on things like buttons/options etc with very few positives.

KNOXSS currently looks for:

1- Reflective XSS

2- XSS via POST Request

3- Blind XSS

Now For example If you decided to test https://www.test.com and you fired up the extension you will see a notification from extension says :

“Extensions active for *.test.com “

Then it will automatically look for endpoints and URLS like “.*test.com/emad?tags=” etc / make automatic post requests which it will test them with I wonder how many 1337 payloads.

If the payload gets injected successfully in one of the Links it will be a Reflective XSS, it will open a new browser window with that URL.

In some cases, when the payload is not in the URL, but in the source code, KNOXSS generates a base64 code with the POST request, where you have to Click on the Button and the XSS gets executed.

KNOXSS can get Blind XSS’s too! If you turned on KNOXSS on a Link where it will send the message to the Admin Portal, like Contact form etc, KNOXSS automatically sends the Payload, and once it is executed it sends you notification of the report via Email.

Example for Blind XSS:

https://jusfood.com/

http://www.mymeetscores.com/

Run KNOXSS on these 2 sites and check your inbox after some while you’ll receive the report.

Enumerating via Google Dorks:

The best way to use KNOXSS is with Google dorks as it makes it more easier and faster.

When you search in Google, you can include search operators in the entry field to narrow or broaden your search.

Like:

site:site.com (returns results from certain sites or domains)

filetype: (searches for exact file type like php,txt)

inurl: (searches for specific text in the indexed URL like id, uid, cart, buy)

intitle: (searches for query terms in the page’s title like upload, upload)

Dorks Examples:

site:google.com inurl:id=

site:google.com filetype:php

site:google.com intitle:upload

Test Dorks:

inurl:”.php?id=” intext:”View cart”

inurl:”.php?cid=” intext:”shopping”

inurl:/news.php?include=

inurl:”.php?query=”

For more on Dorks, nothing will be better than this:

https://www.exploit-db.com/google-hacking-database/

I will attach some lists to find admin panel and 4500 dorks to get blind XSS easy you can download it from this URL

https://drive.google.com/file/d/1g-vWLd998xJwLNci7XuZ6L1hRXFpIAaF/view?usp=sharing

Enumerating via Fuzzing:

Now if ever go through a sub-domain which has empty page/white page, you can try to enumerate more, by using Dirb or Dirbuster etc and get directories/files and run on it.

Usage :- dirb site.com list.txt path

You can also use Seclist where you will find some Web_Content lists to fuzz paths like tomcat or apache:

https://github.com/danielmiessler/SecLists/tree/master/Discovery/Web_Content

Example:-

https://payment-providers.uber.com

For more information you can watch my uber POC.

Recently a lot of people were curious about the usage so I described the best I could. Hopefully your doubts might have been cleared. Now you just have to use your mind for further testing it on your own. Remember, the tool is only automated but thinking is done Manual. Do lots of recon of the site then use KNOXSS it will be helpful.

Have a nice XSSy day !

P.S: The sites I mentioned in the post, i have already contacted them via Email/Openbugbounty 🙂

Here is the Demo Video:

 

 

About the Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: