-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
FAQ
Well it's because XSStrike runs on python3 and you have to install the module with pip3 as follows:
pip3 install fuzzywuzzy
Register on xsshunter.com, copy your payload in /core/config.py within blindPayload variable. That's it.
Then you can use the --blind option while crawling to make XSStrike inject your blind XSS payload in each parameter of each form.
You can set up your own server and script instead of getting one from xsshunter.com but I recommend it because it's free, easy and open source.
There are too many reasons, take a look.
To see what is being worked on, check the development board of XSStrike. XSStrike will get the following updates in near future:
Blind XSSProxy supportVerbose output toggleBrowser engine integration- Better detection mechanism
- Dynamic JS parsing for better DOM XSS scanning
- A dedicated filter bypassing engine
- Enhanced WAF evasion capabilities by WAF rules reversing
- XSStrike API
- XSStrike browser extension
in progress - XSStrike Burp Suite plugin
in progress
There can be false positives while crawling because crawling skips thorough checks. If XSStrike marks a webpage as vulnerable while crawling, you should run a scan on that particular webpage for thorough scanning.
When you scan a single webpage, XSStrike makes use of a browser engine to ensure that the payload works and hence ensures zero false positives.
XSStrike already covers all the common + some special contexts but there can be false negatives if the injection requires some special strategy.
Please use that other tool.
Yes, as long as you state changes and release your software under the same license. For more information, please read the license. If you don't follow the conditions, you might get into trouble.
You can mail me s0md3v@gmail.com to buy a license.