XSS Hunter correlated injection API guide
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md

README.md

XSS Hunter Correlated Injection API Doc

This document is meant to outline the single API endpoint required to build an XSS Hunter compatible correlated injection tool.

Endpoint

https://api.xsshunter.com/api/record_injection

Content-Type

application/json

Parameters

request - This is the request that was performed with the unique injection_key. This could be an HTTP request or another protocol.

owner_correlation_key - This is the key which is exposed under the "Settings" tab of the XSS Hunter website. It is unique for each account and should not be shared in between users.

injection_key - This is the unique key used for each injection, generation of these keys is up to the creator of the tool.

Example HTTP Request/Response

POST /api/record_injection HTTP/1.1
Host: api.xsshunter.com
User-Agent: xsshunter_client
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json; charset=utf-8
Referer: https://xsshunter.com/app
Content-Length: 196
Connection: close

{"request":"GET / HTTP/1.1...","owner_correlation_key":"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "injection_key":"UNIQUE_REQUEST_KEY"}
HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Thu, 24 Mar 2016 05:06:33 GMT
Content-Type: application/json
Connection: close
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'
Expires: 0
Cache-Control: no-cache, no-store, must-revalidate
Access-Control-Allow-Methods: OPTIONS, PUT, DELETE, POST, GET
Strict-Transport-Security: max-age=0; includeSubDomains
Pragma: no-cache
Access-Control-Allow-Credentials: true
X-Frame-Options: deny
Access-Control-Allow-Headers: X-CSRF-Token, Content-Type
Access-Control-Allow-Origin: https://xsshunter.com
CF-RAY: 2887982ed5e32864-SJC
Content-Length: 72

{"message": "Injection request successfully recorded!", "success": true}

Example Client

Please see https://github.com/mandatoryprogrammer/xsshunter_client for an example client built off of this API.