How I got RXSS from Shodan

Mostafa Elguerdawi
2 min readSep 8, 2023

Hello All I’m Mostafa Elguerdawi, In this writeup I will explain how I get RXSS using shodan

What is shodan?

Shodan is a search engine that allows users to search for internet-connected devices and systems. However, it’s not a typical search engine like Google, which indexes web pages. Instead, Shodan scans and indexes information about devices and services on the Internet, including servers, webcams, routers, industrial control systems, and more. This data is collected by scanning the Internet for open ports and services.

Well let’s start

Shodan offers a set of queries that help us to get best result about what we search

one of this queries is : http.title:”<TITLE>”

This query used to search for all websites that have the title we provide

E.g : http.title:”Medium”

To know your target title there 2 ways:

  • First from the window it self
  • Second you can visit source code : view-source:https://hackerone.com

Let’s call my target redacted.com and the home page title was Redacted

I went to shodan in search bar I entered query : http.title:”Redacted”

I got results like that, I started to explore every host one by one until found one that have name, email, and phone number inputs

In name input I tried XSS using payload :

"> <svg/onload=alert('XSS_By_Mostafa_Elguerdawi')> "

It worked but it still self XSS, I have write a write-up before how to escalate Self XSS to RXSS using CSRF

Write-up Link

--

--