XSS Hunter is Now Open Source – Here’s How to Set It Up!

Recently I opened up XSS Hunter for public registration, this was after publishing a post on how I used XSS Hunter to hack GoDaddy via blind XSS and pointed out that many penetration testers use a very limited alert box-based pentesting methodology which will not detect these types of issues. After cleaning up the source… Read More Continue reading XSS Hunter is Now Open Source – Here’s How to Set It Up!

Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS

This is the first part of a series of stories of compromising companies via blind cross-site scripting. As companies fix the issues and allow me to disclose them, I will post them here. Blind cross-site scripting (XSS) is an often-missed class of XSS which occurs when an XSS payload fires in a browser other than… Read More Continue reading Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS

XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS)

Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. With the first disclosure of the issue titled “Malicious HTML Tags Embedded in Client Web Requests“, this research sparked an entire generation of an attack that somehow still seems to persist in modern web applications today. Despite this vulnerability being well-known… Read More Continue reading XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS)