Skip to content
/ XSStrike Public
forked from s0md3v/XSStrike

XSStrike is a program which can crawl, fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs.

teamultimate.in/

License

View license
0 stars 1.9k forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DelCoding/XSStrike

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
README.md
README.md
 
 
license.txt
license.txt
 
 
requirements.txt
requirements.txt
 
 
xsstrike
xsstrike
 
 

Repository files navigation

Website Python Version Bugs

XSStrike

XSStrike is a python script designed to detect and exploit XSS vulnerabilites.

A list of features XSStrike has to offer:

  • Fuzzes a parameter and builds a suitable payload
  • Bruteforces paramteres with payloads
  • Has an inbuilt crawler like functionality
  • Detects and tries to bypass WAFs
  • Both GET and POST support
  • Most of the payloads are hand crafted
  • Negligible number of false positives
  • Opens the POC in a browser window

You can download XSStrike's debian package from here.

Installing XSStrike

Use the following command to download it

git clone https://github.com/UltimateHackers/XSStrike/

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command

pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

XSStrike 1

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.

For example: target.com/search.php?q=d3v&category=1

After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options

1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

XSStrike 2

2. Striker: It bruteforces all the parameters one by one and generates the proof of concept in a browser window.

XSStrike 3

3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.

4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

XSStrike 4

XSStrike can also bypass WAFs

XSStrike 5

XSStrike supports POST method too

XSStrike 6

You can also supply cookies to XSStrike

Unlike other stupid bruteforce programs, XSStrike has a small list of payloads but they are the best one. Most of them are carefully crafted by me. If you find any bug or have any suggestion to make the program better please let me know on Ultimate Hacker's facebook page or start an issue on XSStrike's Github repository.

Demo video

watch xsstrike in action

Credits

XSStrike uses code from BruteXSS and Intellifuzzer-XSS, XsSCan.

About

XSStrike is a program which can crawl, fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs.

teamultimate.in/

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%