XSStrike v1.2 - Fuzz, Crawl and Bruteforce Parameters for XSS


XSStrike is a python script designed to detect and exploit XSS vulnerabilites.
A list of features XSStrike has to offer:
  • Fuzzes a parameter and builds a suitable payload
  • Bruteforces paramteres with payloads
  • Has an inbuilt crawler like functionality
  • Can reverse engineer the rules of a WAF/Filter
  • Detects and tries to bypass WAFs
  • Both GET and POST support
  • Most of the payloads are hand crafted
  • Negligible number of false positives
  • Opens the POC in a browser window

Installing XSStrike

Use the following command to download it
git clone https://github.com/UltimateHackers/XSStrike/
After downloading, navigate to XSStrike directory with the following command
cd XSStrike
Now install the required modules with the following command
pip install -r requirements.txt
Now you are good to go! Run XSStrike with the following command
python xsstrike

Using XSStrike


You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.
For example: target.com/search.php?q=d3v&category=1
After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options

1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.


2. Striker: It bruteforces all the parameters one by one and generates the proof of concept in a browser window.


3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.


4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.



XSStrike can also bypass WAFs


XSStrike supports POST method too


You can also supply cookies to XSStrike


Demo video


Credits
XSStrike uses code from BruteXSS and Intellifuzzer-XSS, XsSCan.


XSStrike v1.2 - Fuzz, Crawl and Bruteforce Parameters for XSS XSStrike v1.2 - Fuzz, Crawl and Bruteforce Parameters for XSS Reviewed by Lydecker Black on 6:15 PM Rating: 5