XSStrike is a python script designed to detect and exploit XSS vulnerabilites.
A list of features XSStrike has to offer:
- Fuzzes a parameter and builds a suitable payload
- Bruteforces paramteres with payloads
- Has an inbuilt crawler like functionality
- Can reverse engineer the rules of a WAF/Filter
- Detects and tries to bypass WAFs
- Both GET and POST support
- Most of the payloads are hand crafted
- Negligible number of false positives
- Opens the POC in a browser window
Use the following command to download it
After downloading, navigate to XSStrike directory with the following command
git clone https://github.com/UltimateHackers/XSStrike/
Now install the required modules with the following command
Now you are good to go! Run XSStrike with the following command
pip install -r requirements.txt
You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.
For example: target.com/search.php?q=d3v&category=1
After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options
1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.
2. Striker: It bruteforces all the parameters one by one and generates the proof of concept in a browser window.
3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.
4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.
XSStrike can also bypass WAFs
XSStrike supports POST method too
You can also supply cookies to XSStrike
XSStrike uses code from BruteXSS and Intellifuzzer-XSS, XsSCan.