Usage
usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS] [--seeds SEEDS] [--json] [--path]
[--fuzzer] [--update] [--timeout] [--params] [--crawl] [--blind]
[--skip-dom] [--headers] [--proxy] [-d DELAY] [-e ENCODING]
optional arguments:
-h, --help show this help message and exit
-u, --url target url
--data post data
-f, --file load payloads from a file
-t, --threads number of threads
-l, --level level of crawling
-t, --encode payload encoding
--json treat post data as json
--path inject payloads in the path
--seeds load urls from a file as seeds
--fuzzer fuzzer
--update update
--timeout timeout
--params find params
--crawl crawl
--proxy use prox(y|ies)
--blind inject blind xss payloads while crawling
--skip skip confirmation dialogue and poc
--skip-dom skip dom checking
--headers add headers
-d, --delay delay between requests
Option: -u or --url
Test a single webpage which uses GET method.
python xsstrike.py -u "http://example.com/search.php?q=query"
python xsstrike.py -u "http://example.com/search.php" --data "q=query"
Option: --path
Want to inject payloads in the URL path like http://example.com/search/<payload>, you can do that with --path switch.
python xsstrike.py -u "http://example.com/search/form/query" --path
Option: --json
This switch can be used to test JSON data via POST method.
python xsstrike.py -u "http://example.com/search.php" --data '{"q":"query"}' --json
Option: --crawl
Start crawling from the target webpage for targets and test them.
python xsstrike.py -u "http://example.com/page.php" --crawl
Option: -l or --level | Default: 2
This option let's you specify the depth of crawling.
python xsstrike.py -u "http://example.com/page.php" --crawl -l 3
Option: --seeds
If you want to test URLs from a file or just simply want to add seeds for crawling, you can use the --seeds option.
python xsstrike.py --seeds urls.txt
or
python xsstrike.py -u "http://example.com" -l 3 --seeds urls.txt
Option: -f or --file
You can load payloads from a file and check if they work. XSStrike will not perform any analysis in this mode.
python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
Using default as file path with load XSStrike's default payloads.
Option: -t or --threads | Default: 2
It is possible to make concurrent requests to the target while crawling and -t option can be used to specify the number of concurrent requests to make.
While threads can help to speed up crawling, they might also trigger security mechanisms. A high number of threads can also bring down small websites.
python xsstrike.py -u "http://example.com" -t 10 --crawl -l 3
Option: --timeout | Default: 7
It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out.
python xsstrike.py -u "http://example.com/page.php?q=query" --timeout=4
Option: -d or --delay | Default: 0
It is possible to specify a number of seconds to hold between each HTTP(S) request. The valid value is a int, for instance 1 means a second.
python xsstrike.py -u "http://example.com/page.php?q=query" -d 2
Option: --headers
This option will open your text editor (default is 'nano') and you can simply paste your HTTP headers and press Ctrl + S to save.
If your operating system doesn't support this or you don't want to do this anyway, you can simply add headers from command line separated by \n as follows:
python xsstrike.py -u http://example.com/page.php?q=query --headers "Accept-Language: en-US\nCookie: null"
Option: --blind
Using this option while crawling will make XSStrike inject your blind XSS payload defined in core/config.py to be injected to every parameter of every HTML form.
python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind
Option: -e or --encode
XSStrike can encode payloads on demand. Following encodings are supported as of now:
base64
python xsstrike.py -u "http://example.com/page.php?q=query" -e base64
Want an encoding to be supported? Open an issue.
Option: --fuzzer
The fuzzer is meant to test filters and Web Application Firewalls. It is painfully slow because it sends randomly* delay requests and the delay can be up to 30 seconds. To minimize the delay, set the delay to 1 second by using the -d option.
python xsstrike.py -u "http://example.com/search.php?q=query" --fuzzer
Option: --console-log-level | Default: INFO
It is possible to choose a minimum logging level to display xsstrike logs in the console:
python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level WARNING
Option: --file-log-level | Default: None
If specified, xsstrike will also write all logs with equal logging level or higher to a file:
python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level DEBUG
Option: --log-file | Default: xsstrike.log
Name of the file where logs will be stored. Note that if --file-log-levelis not specified, this option will not have any effect.
python xsstrike.py -u "http://example.com/search.php?q=query" --file-log-level INFO --log-file output.log
Option: --proxy | Default 0.0.0.0:8080
You have to set up your prox(y|ies) in core/config.py and then you can use the --proxy switch to use them whenever you want.
More information on setting up proxies can be found here.
python xsstrike.py -u "http://example.com/search.php?q=query" --proxy
Option: --skip
If you want XSStrike to continue the scan if a working payload found without asking you if you want to continue scanning then you can use this option. It will skip POC generation as well.
python xsstrike.py -u "http://example.com/search.php?q=query" --skip
Option: --skip-dom
You may want to skip DOM XSS scanning while crawling to save you time.
python xsstrike.py -u "http://example.com/search.php?q=query" --skip-dom
Option: --update
If this option is enabled, XSStrike will check for updates. If a newer version will available, XSStrike will download and merge the updates into the current directory without overwriting other files.
python xsstrike.py --update