XSSearch
A Comprehensive Reflected XSS Scanner
XSSearch is a comprehensive reflected XSS tool with 3000+ Payloads for automating XSS attacks and validating XSS endpoints.
DISCLAIMER :
The XSSearch developer will not be held liable if the tool is used with harmful or criminal intent. Please use at your own risk. :)
USES :
- XSSearch can be used to discover reflected Cross Site Scripting (XSS) vulnerabilities
- XSSearch is capable of validating XSS payloads.
- XSSearch will facilitate in the automation of brute - force attack for the verification of reflected XSS.
- Works on all Linux environment
- This can also be used in penetration testing to evaluate sanitization strength.
FEATURES :
- Contains more than 3000 payloads for XSS validation
- Works on selenium framework & ChromeDriver
- It is faster than other XSS tools since the code is very light and rapid.
- The code and payloads can be modified according to the situation.
SETUP & INSTALLATION
XSSearch requires Selenium, ChromeDriver and Python to work smoothly on your system.
Installing Selenium
$ sudo apt update
$ pip3 install selenium
Installing Chrome Browser for Linux (Skip this if you already have Chrome browser on your Linux)
$ wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
$ sudo apt install ./google-chrome-stable_current_amd64.deb
You may use the command to start Chrome from your terminal.
$ google-chrome --no-sandbox
Downloading ChromeDriver
Go to https://chromedriver.chromium.org/downloads and get the linux 64 zipped version of ChromeDriver 80.0.3987.106.
Unzip the zip file. There will be a file for ChromeDriver. Open terminal on the same location and use the following command.
$ sudo chmod +x chromedriver
$ sudo mv -f chromedriver /usr/bin/chromedriver
USAGE
XSSearch is a command line tool that uses a single command line instruction for simple and speedy execution.
Note : This tool will only work on url which has a input paramter in the url. Example : www[.]target[.]com/?xyz=
$ python3 xssearch.py -u url.com/?s={xss} -p payloads.txt
Arguments :
-u : It is required for URL input
-p : It is required for Payload file input
{xss} : It is a placeholder that the user should append after an equal to sign (=) in the url argument.
Live Usage
$ python3 xssearch.py -u https://ac121f0e1eb31ae5c0c9473f00f400f7.web-security-academy.net/?search={xss} -p payloads.txt
Above is the screenshot of the tool with live example.
Valid XSS exploits are marked with red alerts.
Invalid XSS exploits are marked with blue alerts.
Errors & Warnings
The following are some errors that might arise as a result of an incomplete command, not specifying arguments or not specifying placeholders.
Use the below command to get help
$ python3 xssearch.py -h
LICENSE
More suggestions and contributions are highly appreciated to make this tool better :)
STAY SAFE, ACT SMART
Hit Me Up
1 Dec 1, 2021
2 Aug 12, 2021
8 Jan 9, 2023
0 Oct 1, 2022
3 Jan 23, 2022
8 Dec 17, 2022
9 Mar 24, 2022
12 Dec 26, 2022
9 Feb 10, 2022
1 Dec 13, 2021
909 Dec 15, 2022
1 Nov 03, 2021
3 Mar 03, 2022
19 Oct 21, 2022
4 Jan 27, 2022
58 Jan 03, 2023
1k Dec 31, 2022
7 Feb 02, 2022
782 Dec 31, 2022
3 Mar 04, 2022
2 Oct 07, 2022
111 Dec 27, 2022
4 Nov 27, 2022
802 Dec 31, 2022
3 Feb 07, 2022
2.2k Jan 04, 2023
2 Aug 20, 2022
93 Nov 16, 2022