Skip to content

Latest commit

 

History

History
80 lines (57 loc) · 4.48 KB

xss-tools.md

File metadata and controls

80 lines (57 loc) · 4.48 KB
Raw

XSS Tools

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

XSStrike

git clone https://github.com/s0md3v/XSStrike.git
cd XSStrike
pip install -r requirements.txt
python xsstrike.py

python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"

Basic Usage(Get):
python3 xsstrike.py --headers -u "http://localhost/vulnerabilities/xss\_r/?name=asd"\ Basic Usage(Post):
python xsstrike.py -u "http://example.com/search.php" --data "q=query"
Crawling(depth=2 default):
python xsstrike.py -u "http://example.com/page.php" --crawl -l 3
Find hidden parameters:
python xsstrike.py -u "http://example.com/page.php" --params
Extra:
--headers #Set custom headers (like cookies). It is necessary to set every time
--skip-poc
--skip-dom #Skip DOM XSS scanning

BruteXSS

git clone https://github.com/rajeshmajumdar/BruteXSS

Tool to find vulnerable (GET or POST) parameter to XSS using a list of payloads with a GUI.
Custom headers (like cookies) can not be configured.

XSSer

https://github.com/epsylon/xsser
Already installed in Kali.
Complete tool to find XSS.

Basic Usage(Get):

The tool doesnt send the payload:(

XSSCrapy

git clone https://github.com/DanMcInerney/xsscrapy

Not recommended. A lot of unnecessary output, and it doesn`t work properly.

Dalfox

https://github.com/hahwul/dalfox

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥