automatically crawl every URL and find cross site scripting (XSS)

Related tags

Security related resourceslinuxhackingxssxss-vulnerabilitybugbountytermuxxss-scannerxss-exploitationxss-detectionxss-attacks
Overview



scancss

Fastest tool to find XSS.

multiple xss

scancss is a fastest tool to detect Cross Site scripting (XSS) automatically and it's also an intelligent payload generator.


Main Features

  • Reflected XSS scanning
  • Blind xss find
  • Crawling all links on a website
  • POST and GET forms are supported
  • Advanced error handling
  • Multiprocessing support

multiple xss


Documentation

install

git clone https://github.com/thenurhabib/scancss.git
cd scancss
python -m pip install -r requirements.txt
python3 scancss.py --help

Usage

======================================================================== 
usage: scancss -u <target> [options]

Options:
  --help            Show usage and help parameters
  -u                Target url (e.g. http://example.com)                                                      
  --depth           Depth web page to crawl. Default: 2                                                       
  --payload-level   Level for payload Generator, 7 for custom payload. {1...6}. Default: 6                    
  --payload         Load custom payload directly (e.g. <script>alert(2005)</script>)                          
  --method          Method setting(s):                                                                        
                        0: GET                                                                                
                        1: POST                                                                               
                        2: GET and POST (default)                                                             
  --user-agent      Request user agent (e.g. Chrome/2.1.1/...)                                                
  --single          Single scan. No crawling just one address                                                 
  --proxy           Set proxy (e.g. {'https':'https://10.10.1.10:1080'})                                      
  --about           Print information about scancss tool                                                      
  --cookie          Set cookie (e.g {'ID':'12464476836'})                                                      
                                                                                                              
========================================================================

multiple xss

Author

Name       : Md. Nur habib
Medium     : thenurhabib.medium.com
Twitter    : https://twitter.com/thenurhab1b
HackerRank : https://www.hackerrank.com/thenurhabib
Thank You.
You might also like...
edgedressing leverages a Windows "feature" in order to force a target's Edge browser to open. This browser is then directed to a URL of choice.

edgedressing One day while experimenting with airpwn-ng, I noticed unexpected GET requests on the target node. The node in question happened to be a W

stryngs 43 Dec 23, 2022
Fast python tool to test apache path traversal CVE-2021-41773 in a List of url

CVE-2021-41773 Fast python tool to test apache path traversal CVE-2021-41773 in a List of url Usage :- create a live urls file and use the flag "-l" p

Zahir Tariq 12 Nov 9, 2022
Simple Python 3 script to detect the
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Víctor García 187 Jan 3, 2023
A piece of software that shows a traceroute of a URL redirect path
A piece of software that shows a traceroute of a URL redirect path

Tracing URL redirects has never been easier! Usage • Download 🚩 Use Cases To see where an affiliate link ends up To see what affiliate network is bei

null 41 Nov 22, 2022
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 9, 2022
Simple Python 3 script to detect the
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Wade 1 Dec 15, 2021
Python directory buster, multiple threads, gobuster-like CLI, web server brute-forcer, URL replace pattern feature.

pybuster v1.1 pybuster is a tool that is used to brute-force URLs of web servers. Features Directory busting (URI) URL replace patterns (put PYBUSTER

Glaukio 1 Jan 5, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

hashlookup 96 Dec 20, 2022
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains
NexScanner is a tool which allows you to scan a website and find the admin login panel and sub-domains

NexScanner NexScanner is a tool which helps you scan a website for sub-domains and also to find login pages in the website like the admin login panel

null 8 Sep 3, 2022
Comments
  • ModuleNotFoundError: No module named 'click'

    ModuleNotFoundError: No module named 'click'

    IMG_20220314_012833

    As you can see in the screenshot its showing an error called "ModuleNotFoundError" it is because you didnt add the "click" python module in the requirements.txt. Please consider adding this click module in requirements.txt and kindly forgive my horrible English.

    Thanks.

    opened by BDhackers009 1
  • The Crawler Don't Catch POST Parameters

    The Crawler Don't Catch POST Parameters

    Dear Developer,,

    Thank you for building this automation tool after some scanning and testing for the tool with crawling mode and with single scan i touch that the tool don't grab all the parameters specially the one's comes with POST requests

    the tool don't catch the POST parameters comes inside categories filters

    if you can update the crawler it will be great

    opened by Moskitoz 0
  • json.decoder.JSONDecodeError while supplying cookies

    json.decoder.JSONDecodeError while supplying cookies

    the tool is throwing errors while supplying the cookie like so :

    [03:37:11] [INFO] --scancss
***************
Traceback (most recent call last):
  File "/opt/websecurity/scancss/scancss.py", line 114, in <module>
    start()
  File "/opt/websecurity/scancss/scancss.py", line 92, in start
    core.main(getopt.u, getopt.proxy, getopt.user_agent,
  File "/opt/websecurity/scancss/core.py", line 194, in main
    self.session = session(proxy, headers, cookie)
  File "/opt/websecurity/scancss/helper.py", line 39, in session
    requestVariable.cookies.update(json.loads(cookie))
  File "/usr/lib/python3.10/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)                                                                                         
  File "/usr/lib/python3.10/json/decoder.py", line 337, in decode                                                             
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())                                                                         
  File "/usr/lib/python3.10/json/decoder.py", line 355, in raw_decode                                                         
    raise JSONDecodeError("Expecting value", s, err.value) from None                                                          
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
    opened by surya-dev-singh 0
Releases(v1.0.0)
Owner
Md. Nur habib
Programmer | System Administrator | Blogger
Md. Nur habib
GitHub Repository
A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

TProxer A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF. How • Install • Todo • Join Discord How it works

Krypt0mux 162 Nov 25, 2022
PrivateRoom - Make your work private by building a system using arduino which instantly kills a program when someone enters your room/cabin

privateRoom Make your work private by building a system using arduino which instantly kills a program when someone enters your room/cabin STEPS: Uploa

Divyanshu Kumar 3 Nov 08, 2022
SEBUAH TOOLS TERMUX CRACK AKUN FF HOMKI AKUN EPEP DAH SATU FOLLOW AE YA BROO AWOKWOK

print " INSTALL TOOLS " $ pkg update && upgrade $ pkg install python2 $ pkg install git $ pip2 install lolcat $ pip2 install bs4 $ pip2 install reques

Jeeck 2 Nov 29, 2021
Multi Brute Force Facebook - Crack Facebook With Login - Free For Now

✭ SAKERA CRACK Made With ❤️ By Denventa, Araya, Dapunta Author: - Denventa - Araya Dev - Dapunta Khurayra X ⇨ Fitur Login [✯] Login Cookies ⇨ Ins

Dapunta ID 26 Jan 01, 2023
💣 Bomb Crypto Bot 💣

💣 Bomb Crypto Bot 💣 ⚠️ Warning I am not responsible for any penalties incurred by those who use the bot, use it at your own risk. 📄 Documentation -

Matheus Benites 4 Apr 27, 2022
OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

omigood (OM I GOOD?) This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threa

Marco Simioni 13 Jul 13, 2022
A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022
IDA2Obj is a tool to implement SBI (Static Binary Instrumentation).

IDA2Obj IDA2Obj is a tool to implement SBI (Static Binary Instrumentation). The working flow is simple: Dump object files (COFF) directly from one exe

Mickey 94 Dec 13, 2022
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

MassDNS A high-performance DNS stub resolver MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amou

B. Blechschmidt 2.5k Jan 07, 2023
Hadoop Yan ResourceManager unauthorized RCE

Vuln Impact There was an unauthorized access vulnerability in Hadoop yarn ResourceManager. This vulnerability existed in Hadoop yarn, the core compone

Al1ex 25 Nov 24, 2022
Acc-Data-Gen - Allows you to generate a password, e-mail & token for your Minecraft Account

Acc-Data-Gen Allows you to generate a password, e-mail & token for your Minecraft Account How to use the generator: Move all the files in a single dir

KarmaBait 2 May 16, 2022
A small script to export all AWAF policies from a BIG-IP device

This script leverages BIG-IP iControl REST API to export ALL AWAF policies in the system and saves them locally. The policies can be exported in the following formats: xml, plc and json.

3 Feb 03, 2022
SSRF search vulnerabilities exploitation extended.

This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).

Andri Wahyudi 13 Jul 04, 2021
recover Firefox and more browsers logins

Browser Creds this script will recover saved browsers logins into txt files. It currently only support windows 10. currently support : Chrome Opera Fi

HugoLB 41 Nov 09, 2022
Format SSSD Raw Kerberos Payloads into CCACHE files for use on Windows systems

KCMTicketFormatter This tools takes the output from https://github.com/fireeye/SSSDKCMExtractor and turns it into properly formatted CCACHE files for

Black Lantern Security 35 Oct 25, 2022
C++ fully undetected shellcode launcher

charlotte c++ fully undetected shellcode launcher ;) releasing this to celebrate the birth of my newborn description 13/05/2021: c++ shellcode launche

894 Dec 25, 2022
Getting my gitlab commit history into github

🔰 ᵀᴱᴸᴱᴳᴿᴬᴹ ᴴᴬᶜᴷ ᴮᴼᵀ 🔰 The owner would not be responsible for any kind of bans due to the bot. • ⚡ INSTALLING ⚡ • • 🛠️ Lᴀɴɢᴜᴀɢᴇs Aɴᴅ Tᴏᴏʟs 🔰 • If

Santiago Chiesa 1 Dec 24, 2021
Security audit Python project dependencies against security advisory databases.

Security audit Python project dependencies against security advisory databases.

52 Dec 17, 2022
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
利用NTLM Hash读取Exchange邮件

GetMail 利用NTLM Hash读取Exchange邮件:在进行内网渗透时候,我们经常拿到的是账号的Hash凭据而不是明文口令。在这种情况下采用邮件客户端或者WEBMAIL的方式读取邮件就很麻烦,需要进行破解,NTLM的破解主要依靠字典强度,破解概率并不是很大。

<a href=[email protected]"> 388 Dec 27, 2022