Some simple tools which I'm using frequently to find XSS. Keep in mind: Do not trust scripts only! Sometimes the vulnerability is more complex and needs special treatment ;) Those scripts won't find dom bases/dynamic XSS!
Because most tools I tested did not find simple reflected XSS - that's why I hacked this script together. And it works... if you know how to use it.
How to execute:
python3 checkGivenParameters.py -url "http://victim/?param1=test¶m2=test2&foo=bar" -payload '[XSS"]'
This script...
- searches for inputs, textareas, selects, buttons and uses their name/id values as additional get parameters
- replaces every get value with the given payload and checks if its reflected in the http body
Optional parameters:
- payload
Using the default payload may result in a lot of false results.
XSS on a starbucks subdomain
XSS on a General Motors subdomain
How to execute (Way 1):
python3 checkRandomParameters.py -url "http://victim/" -payload '[XSS"]' -paramlist /path/to/params.txt -threads 10 -timeout 3600 --verbose --extended
This scripts...
- searches for inputs, textareas, selects, buttons and uses their name/id as additional get parameters
- takes every parameter (custom + wordlist) and appents it with the payload as value to the url and then checks, if the payload is reflected
Optional parameters:
- payload
- paramlist
- threads
- timeout
- verbose
- extended
Extended mode Using the "--extended" flag will result in aditional checks if a parameter is found to be reflected.
Some websites reflect the requested url this results in a lot false results WHEN the payload is something very simple like "abcdefg27sjs93" - see netflix.com or uber.com for instance. Thats why I'm not using the standard alphanumerical payload and instead choosing something like 'XSS">' or 'XSS"'. In that case I wouldnt also use the extended mode (because you basically doing extended search). If you have a victim where the request url is not reflected you should use the extended flag with a simple playload like the default one.
Script bruteforces parameters and finds "year" parameter which is reflected (basic check) and then validated using extended checks (with special characters...)
I didnt pass a parameter wordlist, this forces the script to search for input fields and use the name/id as get parameters.
Thanks to Daniel Miessler for the parameter wordlist: https://github.com/danielmiessler/SecLists I added some custom parameters ;)