Discovering XSS in large companies is one of my hobbies. Today I want to talk about Opera XSS which took 15 minutes. The power of finding XSS so fast is searching out-of-the-box endpoints. To do this, you first need to find a list of all subdomains, even the ones that don’t give you results (404, 403, etc.). And then find all old existing or recently added endpoints.

Choosing the domain I’m going to work on is usually graded based on what’s found on it. For example, if two XSS vulnerabilities are found in a domain, I look for the third one because a programmer may repeat the same mistake in different places.

I usually use the C99 site to quickly find subdomains

But unfortunately, this time the results that were listed for me were very few and I doubted their completeness. that’s why I decided to brute force subdomains with Knock.

And here we found 4 more subdomains which brings us to the vulnerability. I didn’t care about the rest of the subdomains anymore and started looking at those four subdomains. First I started collecting all the old endpoints with katana and archive.

cat subs.txt | waybackurls > path.txt; cat subs.txt | katana >> path.txt ; cat path.txt | uro > path.txt2 ; cat path.txt2 | httpx -sc 

Unfortunately or fortunately, I didn’t get any results this time, which means the results are all fresh and new. I started recon manually and opened one of the subdomains and it led me to such a path:

https://game.target.tld/staticgames/wordsearch?url=https://site.tld/pmm/wordsearch

I changed the URL’s parameter value to XSS payload:

javascript:alert(origin)

and Bingo, the alert fired for me 😎🥂. Easy Payload = Good Recon

Thank you for following me here, Don’t forget to follow me for more write-ups.

Twitter 🐦