Fuzzing ends with XSS


This is the blog that I found XSS by fuzzing directories

Whenever we got a target, Just fuzz the web directories with low thread

You can use custom word lists or default word lists.

Tools for fuzzing: ffuf, gobuster, rustbuster, dirbuster or drb

Personal preference: FUFF

While fuzzing directories I found phpMyadmin. So I tried to bypass it but I can’t. So Again I started fuzzing with the phpMyAdmin endpoint. Here I got interesting file setup, Which is accessible without authenticate.

phpMyAdmin Setup

This is also one of the issue. But I tried to create to more impact. So I start research more about it. I got to know its vulnerable to CVE-2022–23808.

Boom We got Popup..