XSSearch
A Comprehensive Reflected XSS Scanner
XSSearch is a comprehensive reflected XSS tool with 3000+ Payloads for automating XSS attacks and validating XSS endpoints.
DISCLAIMER :
The XSSearch developer will not be held liable if the tool is used with harmful or criminal intent. Please use at your own risk. :)
USES :
- XSSearch can be used to discover reflected Cross Site Scripting (XSS) vulnerabilities
- XSSearch is capable of validating XSS payloads.
- XSSearch will facilitate in the automation of brute - force attack for the verification of reflected XSS.
- Works on all Linux environment
- This can also be used in penetration testing to evaluate sanitization strength.
FEATURES :
- Contains more than 3000 payloads for XSS validation
- Works on selenium framework & ChromeDriver
- It is faster than other XSS tools since the code is very light and rapid.
- The code and payloads can be modified according to the situation.
SETUP & INSTALLATION
XSSearch requires Selenium, ChromeDriver and Python to work smoothly on your system.
Installing Selenium
$ sudo apt update
$ pip3 install selenium
Installing Chrome Browser for Linux (Skip this if you already have Chrome browser on your Linux)
$ wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
$ sudo apt install ./google-chrome-stable_current_amd64.deb
You may use the command to start Chrome from your terminal.
$ google-chrome --no-sandbox
Downloading ChromeDriver
Go to https://chromedriver.chromium.org/downloads and get the linux 64 zipped version of ChromeDriver 80.0.3987.106.
Unzip the zip file. There will be a file for ChromeDriver. Open terminal on the same location and use the following command.
$ sudo chmod +x chromedriver
$ sudo mv -f chromedriver /usr/bin/chromedriver
USAGE
XSSearch is a command line tool that uses a single command line instruction for simple and speedy execution.
Note : This tool will only work on url which has a input paramter in the url. Example : www[.]target[.]com/?xyz=
$ python3 xssearch.py -u url.com/?s={xss} -p payloads.txt
Arguments :
-u : It is required for URL input
-p : It is required for Payload file input
{xss} : It is a placeholder that the user should append after an equal to sign (=) in the url argument.
Live Usage
$ python3 xssearch.py -u https://ac121f0e1eb31ae5c0c9473f00f400f7.web-security-academy.net/?search={xss} -p payloads.txt
Above is the screenshot of the tool with live example.
Valid XSS exploits are marked with red alerts.
Invalid XSS exploits are marked with blue alerts.
Errors & Warnings
The following are some errors that might arise as a result of an incomplete command, not specifying arguments or not specifying placeholders.
Use the below command to get help
$ python3 xssearch.py -h
LICENSE
More suggestions and contributions are highly appreciated to make this tool better :)
STAY SAFE, ACT SMART
Hit Me Up
1 Dec 1, 2021
2 Aug 12, 2021
8 Jan 9, 2023
0 Oct 1, 2022
3 Jan 23, 2022
8 Dec 17, 2022
9 Mar 24, 2022
12 Dec 26, 2022
9 Feb 10, 2022
2.1k Dec 31, 2022
14 Sep 26, 2022
3.5k Dec 29, 2022
32 Nov 05, 2022
59 Dec 25, 2022
76 Nov 25, 2022
941 Jan 03, 2023
1.4k Dec 29, 2022
10 Jul 21, 2022
13 Apr 15, 2022
218 Jan 03, 2023
39 Nov 18, 2022
1 Nov 26, 2021
1 Dec 03, 2021
4 Jan 09, 2022
3 May 31, 2022
4 Dec 11, 2019
8 Jul 07, 2022