Skip to content

ravijainpro/XSStike

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation


XSStrike
XSStrike

Advanced XSS Detection Suite

multi xss

XSStrike Wiki • Usage • FAQ • For Developers • Compatibility • Gallery

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.

Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. Here are some examples of the payloads generated by XSStrike:

}]};(confirm)()//\
<A%0aONMouseOvER%0d=%0d[8].find(confirm)>z
</tiTlE/><a%0donpOintErentER%0d=%0d(prompt)``>z
</SCRiPT/><DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt,a()//

Apart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.

Main Features

  • Reflected and DOM XSS scanning
  • Multi-threaded crawling
  • Context analysis
  • Configurable core
  • WAF detection & evasion
  • Outdated JS lib scanning
  • Intelligent payload generator
  • Handmade HTML & JavaScript parser
  • Powerful fuzzing engine
  • Blind XSS support
  • Highly researched work-flow
  • Complete HTTP support
  • Bruteforce payloads from a file
  • Powered by Photon, Zetanize and Arjun
  • Payload Encoding

Documentation

FAQ

Gallery

DOM XSS

dom xss

Reflected XSS

multi xss

Crawling

crawling

Fuzzing

fuzzing

Bruteforcing payloads from a file

bruteforcing

Interactive HTTP Headers Prompt

headers

Hidden Parameter Discovery

arjun

Contribution, Credits & License

Ways to contribute

  • Suggest a feature
  • Report a bug
  • Fix something and open a pull request
  • Create a browser extension
  • Create a burp suite/zaproxy plugin
  • Help me document the code
  • Spread the word

Licensed under the GNU GPLv3, see LICENSE for more information.

The WAF signatures in /db/wafSignatures.json are taken & modified from sqlmap. I extracted them from sqlmap's waf detection modules which can found here and converted them to JSON.
/plugins/retireJS.py is a modified version of retirejslib.

<div class="d-flex flex-column flex-md-row gh-header">
  

    
</div>

Usage

usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS] [--seeds SEEDS] [--json] [--path]
                   [--fuzzer] [--update] [--timeout] [--params] [--crawl] [--blind]
                   [--skip-dom] [--headers] [--proxy] [-d DELAY] [-e ENCODING]

optional arguments: -h, --help show this help message and exit -u, --url target url --data post data -f, --file load payloads from a file -t, --threads number of threads -l, --level level of crawling -t, --encode payload encoding --json treat post data as json --path inject payloads in the path --seeds load urls from a file as seeds --fuzzer fuzzer --update update --timeout timeout --params find params --crawl crawl --proxy use prox(y|ies) --blind inject blind xss payloads while crawling --skip skip confirmation dialogue and poc --skip-dom skip dom checking --headers add headers -d, --delay delay between requests

Scan a single URL

Option: -u or --url

Test a single webpage which uses GET method.

python xsstrike.py -u "http://example.com/search.php?q=query"

Supplying POST data

python xsstrike.py -u "http://example.com/search.php" --data "q=query"

Testing URL path components

Option: --path

Want to inject payloads in the URL path like http://example.com/search/<payload>, you can do that with --path switch.

python xsstrike.py -u "http://example.com/search/form/query" --path

Treat POST data as JSON

Option: --json

This switch can be used to test JSON data via POST method.

python xsstrike.py -u "http://example.com/search.php" --data '{"q":"query"} --json'

Crawling

Option: --crawl

Start crawling from the target webpage for targets and test them.

python xsstrike.py -u "http://example.com/page.php" --crawl

Crawling depth

Option: -l or --level | Default: 2

This option let's you specify the depth of crawling.

python xsstrike.py -u "http://example.com/page.php" --crawl -l 3

Testing/Crawling URLs from a file

Option: --seeds

If you want to test URLs from a file or just simply want to add seeds for crawling, you can use the --seeds option.

python xsstrike.py --seeds urls.txt

or

python xsstrike.py -u "http://example.com" -l 3 --seeds urls.txt

Bruteforce payloads from a file

Option: -f or --file

You can load payloads from a file and check if they work. XSStrike will not perform any analysis in this mode.

python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt

Using default as file path with load XSStrike's default payloads.

Find hidden parameters

Option: --params

Find hidden parameters by parsing HTML & bruteforcing.

python xsstrike.py -u "http://example.com/page.php" --params

Number of threads

Option: -t or --threads | Default: 2

It is possible to make concurrent requests to the target while crawling and -t option can be used to specify the number of concurrent requests to make. While threads can help to speed up crawling, they might also trigger security mechanisms. A high number of threads can also bring down small websites.

python xsstrike.py -u "http://example.com" -t 10 --crawl -l 3

Timeout

Option: --timeout | Default: 7

It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out.

python xsstrike.py -u "http://example.com/page.php?q=query" --timeout=4

Delay

Option: -d or --delay | Default: 0

It is possible to specify a number of seconds to hold between each HTTP(S) request. The valid value is a int, for instance 1 means a second.

python xsstrike.py -u "http://example.com/page.php?q=query" -d 2

Supply HTTP headers

Option: --headers

This option will open your text editor (default is 'nano') and you can simply paste your HTTP headers and press Ctrl + S to save.

headers demo

If your operating system doesn't support this or you don't want to do this anyway, you can simply add headers from command line separated by \n as follows: python xsstrike.py -u http://example.com/page.php?q=query --headers "Accept-Language: en-US\nCookie: null"

Blind XSS

Option: --blind

Using this option while crawling will make XSStrike inject your blind XSS payload defined in core/config.py to be injected to every parameter of every HTML form.

python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind

Payload Encoding

Option: -e or --encode

XSStrike can encode payloads on demand. Following encodings are supported as of now:

  • base64

python xsstrike.py -u "http://example.com/page.php?q=query" -e base64

Want an encoding to be supported? Open an issue.

Fuzzing

Option: --fuzzer

The fuzzer is meant to test filters and Web Application Firewalls. It is painfully slow because it sends randomly* delay requests and the delay can be up to 30 seconds. To minimize the delay, set the delay to 1 second by using the -d option.

python xsstrike.py -u "http://example.com/search.php?q=query" --fuzzer

Logging

Option: --console-log-level | Default: INFO

It is possible to choose a minimum logging level to display xsstrike logs in the console: python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level WARNING

Option: --file-log-level | Default: None

If specified, xsstrike will also write all logs with equal logging level or higher to a file: python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level DEBUG

Option: --log-file | Default: xsstrike.log

Name of the file where logs will be stored. Note that if --file-log-levelis not specified, this option will not have any effect. python xsstrike.py -u "http://example.com/search.php?q=query" --file-log-level INFO --log-file output.log

Using Proxies

Option: --proxy | Default 0.0.0.0:8080

You have to set up your prox(y|ies) in core/config.py and then you can use the --proxy switch to use them whenever you want.
More information on setting up proxies can be found here.

python xsstrike.py -u "http://example.com/search.php?q=query" --proxy

Skip Confirmation Prompt

Option: --skip

If you want XSStrike to continue the scan if a working payload found without asking you if you want to continue scanning then you can use this option. It will skip POC generation as well.

python xsstrike.py -u "http://example.com/search.php?q=query" --skip

Skip DOM Scanning

Option: --skip-dom

You may want to skip DOM XSS scanning while crawling to save you time.

python xsstrike.py -u "http://example.com/search.php?q=query" --skip-dom

Update

Option: --update

If this option is enabled, XSStrike will check for updates. If a newer version will available, XSStrike will download and merge the updates into the current directory without overwriting other files.

python xsstrike.py --update

    </div>

</div>



</div>

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages