XSStrike v1.2 – Fuzz, Crawl and Bruteforce Parameters for XSS

XSStrike is a python script designed to detect and exploit XSS vulnerabilites.
A list of features XSStrike has to offer:

Fuzzes a parameter and builds a suitable payload

Bruteforces paramteres with payloads

Has an inbuilt crawler like functionality

Can reverse engineer the rules of a WAF/Filter

Detects and tries to bypass WAFs

Both GET and POST support

Most of the payloads are hand crafted

Negligible number of false positives

Opens the POC in a browser window

Installing XSStrike
Use the following command to download it

git clone http://ift.tt/2rXG43z

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command

pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting “d3v<" in it.
For example: http://ift.tt/2sXfQzC
After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options1. Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

2. Striker: It bruteforces all the parameters one by one and generates the proof of concept in a browser window.

3. Spider: It extracts all the links present in homepage of the target and checks parameters in them for XSS.

4. Hulk: Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

XSStrike can also bypass WAFs

XSStrike supports POST method too

You can also supply cookies to XSStrike

Demo video

Credits
XSStrike uses code from BruteXSS and Intellifuzzer-XSS, XsSCan.
Download XSStrike

http://ift.tt/2w3s8HL http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s