As I’m working on a new XSS course, I wanted to share some of the tools that I’ll be demonstrating, that I’ve come across during research, or that I’ve used in the past, with a quick explanation of what it is and how it works.
Includes over 1,300 XSS attack vectors with several options to try and bypass certain filters. Also includes a GUI, although I’ve found it can be a bit of a pain to use with some applications.
python xsser --gtk
Designed to help detect blind XSS by setting up a dashboard with statistic, payloads, and view/share/search reports. You can get instant email alerts when something is detected. Can be installed with Apache, NGINX, or Docker.
You get a custom subdomain to generate your payloads, like this:
When a vulnerability is found, it collects the information and sends it over to you.
BeEF is a Browser Exploitation Framework. It essentially ‘hooks’ user browsers and uses them as beachheads to launch further attacks. This framework isn’t necessarily just used for XSS, but you can use it with XSS attacks because you can deliver the BeEF hook in your XSS payload, and it will then communicate back with your BeEF installation every few seconds to keep the connection going.
Once you’ve hooked a browser, you can use all kinds of command modules against the hooked browser.