Skip to content

Asperis-Security/xssFuzz

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

10 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

logo

Follow on Instagram Connect on LinkedIn Contributions

🌐 XSSFUZZ

Welcome to Asperis Security's XSS Detection Tool! This tool is designed to help identify and validate Cross-Site Scripting (XSS) vulnerabilities through GET requests. With precision and flexibility, it allows security researchers, pentesters and bug bounty hunters to find and mitigate potential XSS issues.

πŸš€ Features

  • πŸ” Precise XSS Detection: Pinpoints XSS vulnerabilities in GET requests.
  • πŸ›‘οΈ WAF Bypass Detection: It helps you discover tags and attributes that your WAF might miss.
  • πŸ”“ Insecure CSP Detection: Identifies websites with insecure Content Security Policy (CSP) configurations that could be exploited for XSS attacks.
  • πŸ› οΈ Customizable Payloads & Tags: Tailor scans with custom tags and payloads for specific tests.
  • ⚑ Multithreaded Concurrency: Speed up scanning with concurrent threads.
  • πŸ” Custom Headers Support: Use custom headers for authenticated testing or advance tests.
  • πŸ“Š Detailed Reporting: Generates comprehensive reports for easy management.

πŸ“š References

This tool was built with inspiration from the XSS Cheatsheet provided by PortSwigger. We highly recommend reviewing this resource for further understanding on XSS payloads.


πŸ› οΈ Installation

Windows

  1. Install Python (3.x version).

  2. Install dependencies using:

  3. pip install -r requirements.txt
  4. Download and install Google Chrome and Chrome Driver as specified in the repository.

Linux

  1. Install Python and pip:

    sudo apt install python3 python3-pip
  2. Install dependencies using:

    pip3 install -r requirements.txt
  3. Execute the install script:

    sudo bash linux.sh

πŸ’» Usage

Basic Scan

python xssFuzz.py -u "<target_url>" -o output.txt

This command runs a basic scan on the target URL and saves the results in output.txt.

Verbose Output

python xssFuzz.py -u "<target_url>" -o output.txt --verbose

Provides more detailed information about the scan.

Tag-Specific Testing

python xssFuzz.py -u "<target_url>" --tag img -o output.txt

Scan only specific HTML tags, such as <img>.

Custom Payloads

python xssFuzz.py -u "<target_url>" -p "<payload_file>" -o output.txt

Use custom payloads to scan specific attack vectors.

Custom Headers

python xssFuzz.py -u "<target_url>" -H "Header1:Value,Header2:Value" -o output.txt

Include custom headers in your scan.

Limiting Scope

python xssFuzz.py -u "<target_url>" --limit 5 -o output.txt

Limit the scan to the first 5 tags and 5 events for faster results.

Increasing Speed with Threads

python xssFuzz.py -u "<target_url>" -t 10 -o output.txt

Increase scan speed by running 10 concurrent threads.

Validation Mode

python xssFuzz.py -u "<target_url>" -V -o output.txt

Use validation mode to check if identified vulnerabilities are exploitable.


πŸ“Š Output and Reporting

Once the scan is complete, the tool generates a detailed report showing:

  1. 🎯 Vulnerable Parameters: Lists parameters that are vulnerable to XSS.
  2. πŸ“œ Custom Payloads: Provides payloads that successfully exploited vulnerabilities.
  3. 🚫 WAF Bypass: Shows any tags or events that bypassed WAF rules.
  4. βœ… Validation: Confirms whether detected XSS vulnerabilities are valid and exploitable.

πŸ“’ Coming Soon

In the next few weeks, we will publish blog articles where we will explain in detail how we use this tool to find vulnerabilities in active websites on the Internet. These articles will range from simple use cases to advanced techniques, including how to bypass WAFs like Cloudflare and other complex exploitations.

Stay tuned for our updates!

Screenshots

main

About

πŸš€ XSSFUZZ - A tool for detecting XSS vulnerabilities in web applications.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published