XSSearch
A Comprehensive Reflected XSS Scanner
XSSearch is a comprehensive reflected XSS tool with 3000+ Payloads for automating XSS attacks and validating XSS endpoints.
DISCLAIMER :
The XSSearch developer will not be held liable if the tool is used with harmful or criminal intent. Please use at your own risk. :)
USES :
- XSSearch can be used to discover reflected Cross Site Scripting (XSS) vulnerabilities
- XSSearch is capable of validating XSS payloads.
- XSSearch will facilitate in the automation of brute - force attack for the verification of reflected XSS.
- Works on all Linux environment
- This can also be used in penetration testing to evaluate sanitization strength.
FEATURES :
- Contains more than 3000 payloads for XSS validation
- Works on selenium framework & ChromeDriver
- It is faster than other XSS tools since the code is very light and rapid.
- The code and payloads can be modified according to the situation.
SETUP & INSTALLATION
XSSearch requires Selenium, ChromeDriver and Python to work smoothly on your system.
Installing Selenium
$ sudo apt update
$ pip3 install selenium
Installing Chrome Browser for Linux (Skip this if you already have Chrome browser on your Linux)
$ wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
$ sudo apt install ./google-chrome-stable_current_amd64.deb
You may use the command to start Chrome from your terminal.
$ google-chrome --no-sandbox
Downloading ChromeDriver
Go to https://chromedriver.chromium.org/downloads and get the linux 64 zipped version of ChromeDriver 80.0.3987.106.
Unzip the zip file. There will be a file for ChromeDriver. Open terminal on the same location and use the following command.
$ sudo chmod +x chromedriver
$ sudo mv -f chromedriver /usr/bin/chromedriver
USAGE
XSSearch is a command line tool that uses a single command line instruction for simple and speedy execution.
Note : This tool will only work on url which has a input paramter in the url. Example : www[.]target[.]com/?xyz=
$ python3 xssearch.py -u url.com/?s={xss} -p payloads.txt
Arguments :
-u : It is required for URL input
-p : It is required for Payload file input
{xss} : It is a placeholder that the user should append after an equal to sign (=) in the url argument.
Live Usage
$ python3 xssearch.py -u https://ac121f0e1eb31ae5c0c9473f00f400f7.web-security-academy.net/?search={xss} -p payloads.txt
Above is the screenshot of the tool with live example.
Valid XSS exploits are marked with red alerts.
Invalid XSS exploits are marked with blue alerts.
Errors & Warnings
The following are some errors that might arise as a result of an incomplete command, not specifying arguments or not specifying placeholders.
Use the below command to get help
$ python3 xssearch.py -h
LICENSE
More suggestions and contributions are highly appreciated to make this tool better :)
STAY SAFE, ACT SMART
Hit Me Up
1 Dec 1, 2021
2 Aug 12, 2021
8 Jan 9, 2023
0 Oct 1, 2022
3 Jan 23, 2022
8 Dec 17, 2022
9 Mar 24, 2022
12 Dec 26, 2022
9 Feb 10, 2022
25.7k Jan 04, 2023
1 Nov 29, 2021
1k Jan 03, 2023
1 Dec 01, 2021
1.6k Dec 09, 2022
222 Jan 04, 2023
218 Dec 16, 2022
74 Nov 29, 2022
17 Dec 30, 2022
75 Dec 19, 2022
499 Dec 28, 2022
6 Jan 28, 2022
575 Jan 02, 2023
276 Mar 03, 2021
8 Nov 01, 2022
4 Dec 16, 2021
70 Jan 03, 2023
1 Dec 24, 2021