The implicitly exported DomXSS vulnerability has been difficult to discover by traditional scanning tools, and XssSniper relies on the expansion of the Chrome browser to quickly and accurately discover the DomXSS vulnerability through dynamic resolution.
In addition, this extension not only finds implicit output of XSS, but also displays display output for DomXSS, Reflective XSS, automatically finds JSONP’s XSS, and detects SOME vulnerabilities (homologous method execution).
XSS detection principle
This extension uses two methods to detect DOMXSS.
The first method: FUZZ
This detection method is very low false alarm rate, as long as they are detected are all loopholes. But the cost is false rate is relatively high. Specifically, in the current page to create a stealth iframe, in this iframe using different combinations of characters truncated payload to fuzz the current page of each url parameters, and location.hash parameters. If the payload is executed, the vulnerability must exist.
The second method: monitoring js wrong changes
If the xss exists in a way that is relatively subtle, or requires a very complex combination of characters to cut off, payload is not normal execution, but nevertheless, payload may cause some js syntax exception, the expansion only need to detect these exceptions can be. And then prompt the user to the wrong location, the wrong content, the wrong number of rows, so that users manually to this way to detect XSS, less reported, but the price is false positives higher.
Two kinds of detection methods combined with each other, learn from each other.
Open the control panel
Add your target website on “Target List” box and click “Save Target”
Option: you can add more xss payload on “Payload List” box and click “Save payload”
Click “Switch to Open” button
Go to target website. When you browse these sites, XSS detection start automatically. So, open the fuzz, you only need to browse these sites can be normal.