Find answers, ask questions, and connect with our
welcoming community.

  • XSS Tools

  • Christophe

    Administrator
    October 26, 2020 at 4:06 pm

    As I’m working on a new XSS course, I wanted to share some of the tools that I’ll be demonstrating, that I’ve come across during research, or that I’ve used in the past, with a quick explanation of what it is and how it works.

    XSS Detection and exploitation

    There are many others, but these are ones I’ve found that are still maintained and don’t have too many bugs.

    Do you know of any other good ones? Please share below!

    XSStrike

    Generates payloads, has a fuzzing engine, fast crawler, and uses multiple parsers to analyze responses. It also includes parameter discovery, WAF detection, and it includes a scanner for DOM XSS

    Basic usage:

    python xsstrike.py -u "http://target.com/search.php?q=query"

    XSSer

    Includes over 1,300 XSS attack vectors with several options to try and bypass certain filters. Also includes a GUI, although I’ve found it can be a bit of a pain to use with some applications.

    python xsser --gtk

    ezXSS

    Designed to help detect blind XSS by setting up a dashboard with statistic, payloads, and view/share/search reports. You can get instant email alerts when something is detected. Can be installed with Apache, NGINX, or Docker.

    Live demo is available at https://demo.ezxss.com/manage with password demo1234

    XSS Hunter

    You can set it up on your own from GitHub or you can go to https://xsshunter.com/

    You get a custom subdomain to generate your payloads, like this:

    ">

    When a vulnerability is found, it collects the information and sends it over to you.

    BeEF

    BeEF is a Browser Exploitation Framework. It essentially ‘hooks’ user browsers and uses them as beachheads to launch further attacks. This framework isn’t necessarily just used for XSS, but you can use it with XSS attacks because you can deliver the BeEF hook in your XSS payload, and it will then communicate back with your BeEF installation every few seconds to keep the connection going.

    Once you’ve hooked a browser, you can use all kinds of command modules against the hooked browser.

    Cross-Site Scripting (XSS): The 2021 Guide

Log in to reply.

Original Post
0 of 0 posts June 2018
Now