Hacking Blind Xss

2 min readJan 31, 2023

Sometimes, an attacker sends payloads to hack a system. Still, nothing is returned by the application, which can confirm that the application is insecure or hackable as the process he interacted with is Blind.

If we simplify the hacking then, it usually means that an attacker will send some data from their computer to a server, the server processes the data and then sends a response back to the attacker. The attacker evaluates the result, modifies what was sent in the first step, and repeats until desired results have been achieved. Right??? But this doesn’t get into Blind hacking.

Now there are multiple kinds of web security that exist like

  1. Sql Injection
  2. XSS
  3. SSRF
  4. XXE etc…….and on and on….

But it takes almost a different skill set when it comes to hacking the above process during testing blind vulnerability.

But how do you hack a system that does not send anything back?

The answer to the above is to do Out-of.band Testing.

Out of Band?? What the heck is that??

This is the method where security testing (OAST) uses external servers to see otherwise invisible vulnerabilities. This class of vulnerabilities is quite delicate and can cost the company’s security, as cybercriminals can use them to reach the internal applications of the company by exploiting such vulnerabilities.

Some of them are as listed below:

  • Blind server-side XML/SOAP injection
  • Blind XSS (delayed XSS)
  • Host header attack
  • Out-of-band remote code execution (OOB RCE)
  • Out-of-band SQL Injection (OOB SQLi)
  • Email header injection
  • Server-side request forgery (SSRF)
  • XML External Entity injection (XXE)
  • OS Code injection: OOB
  • XXE: Out of Band

So the list is pretty long so I have decided to address each of them one by one in our upcoming articles. For this article, we would focus on Blind XSS.

Blind XSS:-Blind XSS is a type of XSS, where the attacker “blindly” deploys a malicious payload on web pages that are likely to save them to a persistent state (like in a database, or in a log file). Then, without knowing any details about where the payloads have ended up, or if (and when) they are going to be executed, the attacker waits for the payloads to be pulled out of storage and rendered on a web page loaded by an internal user.

Find it complex…nothing to worry let's see the demo which is actually a replica of a real web application pen tested by me.

Thanks for reading!!! Do clap for me as support.