Advanced XSS Detection Suite – XSStrike

Last Release: 04/08/2019     Last Commit: 07/10/2019

Advanced XSS Detection Suite – XSStrike

Introduction

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.

XSStrike - The Most Advanced XSS Detection Suite

The Most Advanced XSS Detection Suite: XSStrike

Instead of injecting payloads like other tools, XSStrike uses multiple handmade parsers to analyse the web application’s response. After analyse, it crafts payloads that are guaranteed to work with context analysis integrated with a fuzzing engine.

It can also crawl, fingerprint and fuzz WAFss. In addition, it can scan for DOM XSS vulnerabilities. XSStrike is fully compatible with Python 3.4+.

Features:

  • Reflected and DOM XSS Scanning
  • Multi-threaded crawling
  • Context analysis
  • Configurable Core
  • Highly Researched Work-flow
  • WAF detection & evasion, WAF Fingerprinting
  • Handmade HTML & JavaScript parser
  • Powerful fuzzing engine
  • Intelligent payload generator
  • Complete HTTP Support
  • Powered by Photon, Zetanize and Arjun
  • Well documented code and regular updates

Supported OSs:

  •  Linux (Arch, Debian, Ubnutu), Termux, Windows (7 & 10), MacOSX.
Mac & Windows don’t support ANSI escape sequences so the output won’t be colored on Mac & Windows.

Requirements:

  • tld, requests, fuzzywuzzy

The rest of the necessary python libraries comes preisntalled with a python interpreter.

Install

First you’ll need to clone it from the git repo:

$ git clone https://github.com/s0md3v/XSStrike.git

Then naviagate to XSStrike directory and install the requirements:

$ cd XSStrike
$ pip install -r requirements.txt

To run XSStrike:

$ python xsstrike

Usage

To list all available arguments, type --help:

usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS]
                   [--fuzzer] [--update] [--timeout] [--params] [--crawl]
                   [--skip-poc] [--skip-dom] [--headers] [-d DELAY]

optional arguments:
  -h, --help            show this help message and exit
  -u, --url             target url
  --data                post data
  -t, --threads         number of threads
  -l, --level           level of crawling
  --fuzzer              fuzzer
  --update              update
  --timeout             timeout
  --params              find params
  --crawl               crawl
  --skip-poc            skip poc generation
  --skip-dom            skip dom checking
  --headers             add headers
  -d, --delay           delay between requests

Scan a single URL example

  • Option: -u or --url

To test a single webpage which uses GET method:

$ python xsstrike.py -u "http://example.com/search.php?q=query"

Supplying POST data:

$ python xsstrike.py -u "http://example.com/search.php" --data "q=query"

Crawling example

  • Option: --crawl

To start crawling from the target webpage, run:

$ python xsstrike.py -u "http://example.com/page.php" --crawl

Finding hidden parameters:

  • Option: --params
$ python xsstrike.py -u "http://example.com/page.php" --params

XSStrike: finding hidden params

Skip POC Generation

  • Option: --skip-poc
$ python xsstrike.py -u "http://example.com/search.php?q=query" --skip-poc

Skip DOM Scanning

  • Option: --skip-dom
$ python xsstrike.py -u "http://example.com/search.php?q=query" --skip-dom

For detailed documentation and additional examples, clic the “documentation” button below.

Documentation Box
Download Box