XSStrike Wiki • Usage • FAQ • For Developers • Compatibility • Gallery
XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.
Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. Here are some examples of the payloads generated by XSStrike:
}]};(confirm)()//\
<A%0aONMouseOvER%0d=%0d[8].find(confirm)>z
</tiTlE/><a%0donpOintErentER%0d=%0d(prompt)``>z
</SCRiPT/><DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt,a()//
Apart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.
- Reflected and DOM XSS scanning
- Multi-threaded crawling
- Context analysis
- Configurable core
- WAF detection & evasion
- Outdated JS lib scanning
- Intelligent payload generator
- Handmade HTML & JavaScript parser
- Powerful fuzzing engine
- Blind XSS support
- Highly researched work-flow
- Complete HTTP support
- Bruteforce payloads from a file
- Powered by Photon, Zetanize and Arjun
- Payload Encoding
- It says fuzzywuzzy isn't installed but it is.
- What's up with Blind XSS?
- Why XSStrike boasts that it is the most advanced XSS detection suite?
- I like the project, what enhancements and features I can expect in future?
- What's the false positive/negative rate?
- Tool xyz works against the target, while XSStrike doesn't!
- Can I copy it's code?
- What if I want to embed it into a proprietary software?
Hidden Parameter Discovery
Ways to contribute
- Suggest a feature
- Report a bug
- Fix something and open a pull request
- Create a browser extension
- Create a burp suite/zaproxy plugin
- Help me document the code
- Spread the word
Licensed under the GNU GPLv3, see LICENSE for more information.
The WAF signatures in /db/wafSignatures.json are taken & modified from sqlmap. I extracted them from sqlmap's waf detection modules which can found here and converted them to JSON.
/plugins/retireJS.py is a modified version of retirejslib.
<div class="d-flex flex-column flex-md-row gh-header">
</div>
usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS] [--seeds SEEDS] [--json] [--path] [--fuzzer] [--update] [--timeout] [--params] [--crawl] [--blind] [--skip-dom] [--headers] [--proxy] [-d DELAY] [-e ENCODING]
optional arguments: -h, --help show this help message and exit -u, --url target url --data post data -f, --file load payloads from a file -t, --threads number of threads -l, --level level of crawling -t, --encode payload encoding --json treat post data as json --path inject payloads in the path --seeds load urls from a file as seeds --fuzzer fuzzer --update update --timeout timeout --params find params --crawl crawl --proxy use prox(y|ies) --blind inject blind xss payloads while crawling --skip skip confirmation dialogue and poc --skip-dom skip dom checking --headers add headers -d, --delay delay between requests
Option: -u or --url
Test a single webpage which uses GET method.
python xsstrike.py -u "http://example.com/search.php?q=query"
python xsstrike.py -u "http://example.com/search.php" --data "q=query"
Option: --path
Want to inject payloads in the URL path like http://example.com/search/<payload>, you can do that with --path switch.
python xsstrike.py -u "http://example.com/search/form/query" --path
Option: --json
This switch can be used to test JSON data via POST method.
python xsstrike.py -u "http://example.com/search.php" --data '{"q":"query"} --json'
Option: --crawl
Start crawling from the target webpage for targets and test them.
python xsstrike.py -u "http://example.com/page.php" --crawl
Option: -l or --level | Default: 2
This option let's you specify the depth of crawling.
python xsstrike.py -u "http://example.com/page.php" --crawl -l 3
Option: --seeds
If you want to test URLs from a file or just simply want to add seeds for crawling, you can use the --seeds option.
python xsstrike.py --seeds urls.txt
or
python xsstrike.py -u "http://example.com" -l 3 --seeds urls.txt
Option: -f or --file
You can load payloads from a file and check if they work. XSStrike will not perform any analysis in this mode.
python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
Using default as file path with load XSStrike's default payloads.
Find hidden parameters
Option: --params
Find hidden parameters by parsing HTML & bruteforcing.
python xsstrike.py -u "http://example.com/page.php" --params
Option: -t or --threads | Default: 2
It is possible to make concurrent requests to the target while crawling and -t option can be used to specify the number of concurrent requests to make.
While threads can help to speed up crawling, they might also trigger security mechanisms. A high number of threads can also bring down small websites.
python xsstrike.py -u "http://example.com" -t 10 --crawl -l 3
Option: --timeout | Default: 7
It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out.
python xsstrike.py -u "http://example.com/page.php?q=query" --timeout=4
Option: -d or --delay | Default: 0
It is possible to specify a number of seconds to hold between each HTTP(S) request. The valid value is a int, for instance 1 means a second.
python xsstrike.py -u "http://example.com/page.php?q=query" -d 2
Option: --headers
This option will open your text editor (default is 'nano') and you can simply paste your HTTP headers and press Ctrl + S to save.
If your operating system doesn't support this or you don't want to do this anyway, you can simply add headers from command line separated by \n as follows:
python xsstrike.py -u http://example.com/page.php?q=query --headers "Accept-Language: en-US\nCookie: null"
Option: --blind
Using this option while crawling will make XSStrike inject your blind XSS payload defined in core/config.py to be injected to every parameter of every HTML form.
python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind
Option: -e or --encode
XSStrike can encode payloads on demand. Following encodings are supported as of now:
base64
python xsstrike.py -u "http://example.com/page.php?q=query" -e base64
Want an encoding to be supported? Open an issue.
Option: --fuzzer
The fuzzer is meant to test filters and Web Application Firewalls. It is painfully slow because it sends randomly* delay requests and the delay can be up to 30 seconds. To minimize the delay, set the delay to 1 second by using the -d option.
python xsstrike.py -u "http://example.com/search.php?q=query" --fuzzer
Option: --console-log-level | Default: INFO
It is possible to choose a minimum logging level to display xsstrike logs in the console:
python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level WARNING
Option: --file-log-level | Default: None
If specified, xsstrike will also write all logs with equal logging level or higher to a file:
python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level DEBUG
Option: --log-file | Default: xsstrike.log
Name of the file where logs will be stored. Note that if --file-log-levelis not specified, this option will not have any effect.
python xsstrike.py -u "http://example.com/search.php?q=query" --file-log-level INFO --log-file output.log
Option: --proxy | Default 0.0.0.0:8080
You have to set up your prox(y|ies) in core/config.py and then you can use the --proxy switch to use them whenever you want.
More information on setting up proxies can be found here.
python xsstrike.py -u "http://example.com/search.php?q=query" --proxy
Option: --skip
If you want XSStrike to continue the scan if a working payload found without asking you if you want to continue scanning then you can use this option. It will skip POC generation as well.
python xsstrike.py -u "http://example.com/search.php?q=query" --skip
Option: --skip-dom
You may want to skip DOM XSS scanning while crawling to save you time.
python xsstrike.py -u "http://example.com/search.php?q=query" --skip-dom
Option: --update
If this option is enabled, XSStrike will check for updates. If a newer version will available, XSStrike will download and merge the updates into the current directory without overwriting other files.
python xsstrike.py --update
</div>
</div>
</div>