Finding and exploiting Blind XSS

September 8, 2018

If you are here, we are already presuming that you know what XSS is and the major types of XSS(i.e Reflected and Stored). Plus there is DOM-based XSS too which is not that common as those other two. We have discussed in great depth about the different types of XSS and how to exploit them in different scenarios(like file uploading or markdown feature). You can always take a look at our blog section to go through them. But today, we have something special for you. If you are a beginner and you haven’t heard about Blind XSS, or you know about Blind XSS but do not understand how to exploit them, then this post will definitely help you as we will explain everything you need to know about Blind XSS.


Blind XSS is a variant of the so-called “Stored XSS” but you cannot know by ordinary means that if your payload got executed like you can in case of Stored or Reflected XSS where the alert box popups immediately on the screen. Consider a simple scenario. You are putting XSS payloads in an input field, but nothing happens on screen. Now, what happens is that the admin of the application is getting the same input directly and your payload gets executed there(i.e on his account). But you have no way to know where does the payload get executed or even if it gets executed. That is why it is called Blind XSS because you can’t see that little alert box of yours because it may be getting executed somewhere else or on a completely different domain altogether.

Where to look for Blind XSS?

You should always put Blind XSS payloads in places, where you are certain that an admin or another user of higher privileges will definitely go through that. As for example, the Feedback page. Thinking logically, a normal user of the application won’t review your feedback but it will most probably be reviewed by an admin or a team member. So that’s a nice place for a little surprise. Another place where you could use Blind XSS payloads,

  1. Review forms
  2. Contact Us pages
  3. Passwords(You never know if the other side doesn’t properly handle input and if your password is in View mode)
  4. Address fields of e-commerce sites
  5. First or Last Name field while doing Credit Card Payments
  6. Set User-Agent to a Blind XSS payload. You can do that easily from a proxy such as Burpsuite.
    And there are many more cases, but we would encourage you to read some reports to get a perfect knowledge, where other hackers are already applying these techniques and how you can use them in your program.

How to find Blind XSS and what are the appropriate tools for this purpose?

Finding Blind XSS isn’t that hard as it sounds and sometimes putting your payloads everywhere can work like a charm. But let’s see how to approach this methodically.
There are awesome tools available for this purpose, but the most popular and the one which we regularly use in penetration tests and bug bounties is XssHunter. It’s specifically written for finding Blind XSS’s and it’s really easy to make it work.

  1. First of all, you need to setup  XSSHunter Express. More details here.
  2. After setting up, if you go to the Payloads section here you will see there are different payloads with the proper description on where you could use them.
  3. Next step is to just simply copy and paste these payloads and start inserting them in different fields as we already told you before(contact us, feedback, address etc).
  4. Once done, you can just sit down and check your XSS Fires tab at a later time. If the payload gets executed anywhere it will give the full details of the bug and will also mail you a report which is super helpful.
In case, it’s not working, you can also tweak with those payloads. Url encoding and double encoding are also some of the other options which can work like a charm.

There are other tools available also, like ezXSS or you can even write your own tool with your domain(but only when you become an advanced tester). For more exposure to Blind XSS, just use this Google Dork blind xss and you will get the full list of publically disclosed reports on Hackerone. Go through each of them to understand how you can make it work efficiently. Until then, you can start inserting these Blind XSS payloads from XSShunter and play around them in your future pentests or bug bounty programs and see for yourself how it works out for you.

All the best and Happy hacking.!!