Hello World, Another Blog related to IIS. In this blog i am going to write about how i found a reflected cross site scripting on one of the popular bug bounty program

  • We know Rxss is an easy bug to find in most cases, but the reason for writing this blog post is I submitted nearly 20 XSS bugs to the same program but 19 of them are duplicate and only this one is accepted. The bug is present there for a long time. In this blog post i am going to share my approach in finding this one

  • If you havent read the recent blog, check it out here –> IIS-Default-Page-to-Information-Disclosure

Default IIS Page

  • Whenever i see a default iis page i get excited because there a lot of chances for finding Bugs there

  • As mentioned in the previous blogpost i ran IIS Shortname scanners but this webserver is not vulnerable


  • I decided to do general content discovery with ffuf

  • So i ran ffuf with jhaddix content_discovery_all.txt

 ffuf -u https://sub.redacted.com/FUZZ -w content_discovery_all.txt -fc 404
 /manager - 403
  • The path /manager gave a 403 Forbidden

  • Fuzzing again gave access to a Login Panel

 ffuf -u https://sub.redacted.com/manager/FUZZ -w content_discovery_all.txt -fc 404
/default.aspx - 200
  • I tried default credentials manually but none of them Worked


  • After spending sometime i obeserver the path is being reflected in the source code without sanitisation

The above payload executed successfully

  • Fuzzing often gives access to juicy endpoints.

That's it for now. Cheers !! Happy Hacking :)