Welcome to Asperis Security's XSS Detection Tool! This tool is designed to help identify and validate Cross-Site Scripting (XSS) vulnerabilities through GET requests. With precision and flexibility, it allows security researchers, pentesters and bug bounty hunters to find and mitigate potential XSS issues.
- π Precise XSS Detection: Pinpoints XSS vulnerabilities in GET requests.
- π‘οΈ WAF Bypass Detection: It helps you discover tags and attributes that your WAF might miss.
- π Insecure CSP Detection: Identifies websites with insecure Content Security Policy (CSP) configurations that could be exploited for XSS attacks.
- π οΈ Customizable Payloads & Tags: Tailor scans with custom tags and payloads for specific tests.
- β‘ Multithreaded Concurrency: Speed up scanning with concurrent threads.
- π Custom Headers Support: Use custom headers for authenticated testing or advance tests.
- π Detailed Reporting: Generates comprehensive reports for easy management.
This tool was built with inspiration from the XSS Cheatsheet provided by PortSwigger. We highly recommend reviewing this resource for further understanding on XSS payloads.
-
Install Python (3.x version).
-
Install dependencies using:
-
pip install -r requirements.txt
-
Download and install Google Chrome and Chrome Driver as specified in the repository.
-
Install Python and pip:
sudo apt install python3 python3-pip
-
Install dependencies using:
pip3 install -r requirements.txt
-
Execute the install script:
sudo bash linux.sh
python xssFuzz.py -u "<target_url>" -o output.txt
This command runs a basic scan on the target URL and saves the results in output.txt
.
python xssFuzz.py -u "<target_url>" -o output.txt --verbose
Provides more detailed information about the scan.
python xssFuzz.py -u "<target_url>" --tag img -o output.txt
Scan only specific HTML tags, such as <img>
.
python xssFuzz.py -u "<target_url>" -p "<payload_file>" -o output.txt
Use custom payloads to scan specific attack vectors.
python xssFuzz.py -u "<target_url>" -H "Header1:Value,Header2:Value" -o output.txt
Include custom headers in your scan.
python xssFuzz.py -u "<target_url>" --limit 5 -o output.txt
Limit the scan to the first 5 tags and 5 events for faster results.
python xssFuzz.py -u "<target_url>" -t 10 -o output.txt
Increase scan speed by running 10 concurrent threads.
python xssFuzz.py -u "<target_url>" -V -o output.txt
Use validation mode to check if identified vulnerabilities are exploitable.
Once the scan is complete, the tool generates a detailed report showing:
- π― Vulnerable Parameters: Lists parameters that are vulnerable to XSS.
- π Custom Payloads: Provides payloads that successfully exploited vulnerabilities.
- π« WAF Bypass: Shows any tags or events that bypassed WAF rules.
- β Validation: Confirms whether detected XSS vulnerabilities are valid and exploitable.
In the next few weeks, we will publish blog articles where we will explain in detail how we use this tool to find vulnerabilities in active websites on the Internet. These articles will range from simple use cases to advanced techniques, including how to bypass WAFs like Cloudflare and other complex exploitations.
Stay tuned for our updates!