A XSS attack is considered blind when the hacker is able to plant the payload but the triggering action is in a part of the site that they cannot access. An example of this would be injecting a XSS payload into your profile name or email. When you view it from the web app there may be sanitation of the payload. But the admin portal might not have the same sanitation when the admin does something like list all users.

A good tool for finding Blind XSS is XSSHunter.

1. Plant the XSSHunter Payload

2. Then if it is triggered it will call the remote XSSHunter script

3. The DOM, Cookies, and more will be sent and listed in your XSSHunter account.