XSS scanner using pupetteer with nodeJS
Clone the project and install the dependencies :
git clone https://github.com/christophe77/ssXss
cd ssXss
yarn install
Edit /src/index.js file and fill url constant with the url you want to scan.
You can also edit the default options.
I suggest you not to change the timeout values, they are a good compromise between speed and accuracy.
If you want to scan and check all inputs inside all forms of the url, set scanType: forms
If you want to check some specific inputs, set scanType: inputs
If you want to test all payloads after an url parameter, set scanType: urlParam
If you want to store the results inside a json file, set result: file
If you want to receive the results in json stream, set result: stream
Use ssXss.scanForms(url, options) for full page scanning.
Create a selector object if you want to scan specific inputs :
const selectors = {
inputs: ['input[name="email"]', 'input[name="username"]'],
submit: 'input[type="submit"]',
};
You can now start scanning.
yarn start:cmd
Edit /src/express/index.js file and set the port that you want.
yarn start:web
You can add more xss payloads in /scanner/payloads.js file.
Payload must execute console.log("ssxss") or alert("ssxss") and user action can be none or "onmouseover".
The current version of ssXss is working well but it needs improvements :
- Improve speed.
- Improve DOM analysis to go deeper.
- Make npm package.
Any contribution is accepted.
If you find any bugs, please feel an issue report.
If you have a website with an XSS vulnerability that is not discovered by ssXss you can contact me.