XSScrapy - Fast, thorough XSS vulnerability spider

Monday, September 8, 2014

Fast, thorough, XSS spider. Give it a URL and it'll test every link it finds for cross-site scripting vulnerabilities.

XSS attack vectors xsscrapy will test
  • Referer header (way more common than I thought it would be!)
  • User-Agent header
  • Cookie header (added 8/24/14)
  • Forms, both hidden and explicit
  • URL variables
  • End of the URL, e.g. www.example.com/<script>alert(1)</script>
  • Open redirect XSS, e.g. looking for links where it can inject a value of javascript:prompt(1)
XSS attack vectors xsscrapy will not test
  • Other headers
Let me know if you know of other headers you’ve seen XSS-exploitable in the wild and I may add checks for them in the script.
  • Persistent XSS’s reflected in pages other than the immediate response page
If you can create something like a calendar event with an XSS in it but you can only trigger it by visiting a specific URL that’s different from the immediate response page then this script will miss it.
DOM XSS will go untested.
  • CAPTCHA protected forms
This should probably go without saying, but captchas will prevent the script from testing forms that are protected by them.
  • AJAX

Because Scrapy is not a browser, it will not render javascript so if you’re scanning a site that’s heavily built on AJAX this scraper will not be able to travel to all the available links. I will look into adding this functionality in the future although it is not a simple task.

From within the main folder run:
./xsscrapy.py -u http://something.com
If you wish to login then crawl:
./xsscrapy.py -u http://something.com/login_page -l loginname -p pa$$word

Output is stored in XSS-vulnerable.txt.

Subscribe via e-mail for updates!