Extended-XSS-Search - Scans For Different Types Of XSS On A List Of URLs


[![](https://1.bp.blogspot.com/-aX4kK_EDcD0/Xl24ad0PypI/AAAAAAAAR20/OJmp93DIKQ0I2TOVUpaLYJeV6KiV1a7YgCNcBGAsYHQ/s640/extended-xss-search_2.png)](<https://1.bp.blogspot.com/-aX4kK_EDcD0/Xl24ad0PypI/AAAAAAAAR20/OJmp93DIKQ0I2TOVUpaLYJeV6KiV1a7YgCNcBGAsYHQ/s1600/extended-xss-search_2.png>) This is the extended version based on the initial idea already published as "xssfinder". This private version allows an attacker to perform not only GET but also POST requests. Additionally its possible to proxy every request through Burp or another tunnel. **First steps** Rename the **example.app-settings.conf** to **app-settings.conf** and adjust the settings. It should work out of the box but depending on the target I would recommend to resize the chunk sizes. **Execution** This tool does not expect any arguments via CLI, so just type: python3 extended-xss-search.py **Configuration** Its possible to set a lot of options and settings, so here are some explanations. **Files** The main config file is the "app-settings.conf", everything has to be done in that file! Besides that, there are some other files which allow to set more complex data like headers, urls and cookies. **config/cookie-jar.txt** Use this file to add a cookie string. I usually copy the one which you can see in every burp request. Please just copy the value of the "Cookie:"-header. A sample input is in the default file. **config/http-headers.txt** This file defines the http [headers](<https://www.kitploit.com/search/label/Headers> "headers" ) which are added to the request and manipulated (payload is added to each one). The most important ones are already in the file. But feel free to add more. **config/parameters.txt** The tool has the option to [brute force](<https://www.kitploit.com/search/label/Brute%20Force> "brute force" ) get and post parameters. In that case those parameters (+ those in the query string) will be used. Each parameter gets the [payload](<https://www.kitploit.com/search/label/Payload> "payload" ) as value. Most important are already in that file. **config/urls-to-test.txt** Thats the file you need! Please add here your links to scan. The following formats are allowed: * [https://domain.com](<https://domain.com/> "https://domain.com" ) * <https://domain.com/path> * [https://domain.com/path?param=value&param1=value1](<https://domain.com/path?param=value&param1=value1> "https://domain.com/path?param=value&param1=value1" ) * domain.com When the last case is detected an "http://" is prepended. This tool is intended to work with a good list of urls. A good way to get one is to just export it using burp. Then you have a valid list of urls. All you need to do ist to just add your cookies. **logs/** This is the log folder where everything gets logged to! **Settings** The app-settings.conf defined the program workflow. Its the most important file, you can activate/deactive different modules there. **Basic settings** _HTTPTimeout_ Some requests can take long. Here you can define the max. execution time of one request. I recommend values between 2 and 6 seconds. _MaxThreads_ The more threads, the faster the script is - but since we are dealing with a lot of connections I usually keep this below 10 on my personal computer and arround 30 on my VPS. **Attack types** _OnlyBaseRequest_ Setting this to true will result in only "base requests" - this means the url lists is just spidered and interesting parameters extracted. You could use that to fill you burp sitemap quickly. _UsePost_ Use can skip POST requests setting this to "false" _UseGet_ This is similar - skip GET requests if set to "false" **Attack type settings** _GetChunkSize_ How many [GET parameters](<https://www.kitploit.com/search/label/GET%20parameters> "GET parameters" ) to test with one request? _PostChunkSize_ How many [POST parameters](<https://www.kitploit.com/search/label/POST%20parameters> "POST parameters" ) to test with one request? **Tunneling** Its also possible to use a tunnel, e.g. "" (Burp Proxy), to monitor all traffic within Burp. _Active_ Setting this to "true" will force the script to use a tunneled connection. _Tunnel_ Set here your proxy server "ip:port". The result is the following one, when you open Burp you can watch your http history: [![](https://1.bp.blogspot.com/-lrTid3oaFLw/Xl24iajIn5I/AAAAAAAAR24/capT0VBEkjUhQD_1Ufu5ZGF4eMOQrijjQCNcBGAsYHQ/s640/extended-xss-search_1.png)](<https://1.bp.blogspot.com/-lrTid3oaFLw/Xl24iajIn5I/AAAAAAAAR24/capT0VBEkjUhQD_1Ufu5ZGF4eMOQrijjQCNcBGAsYHQ/s1600/extended-xss-search_1.png>) **Screenshot** [![](https://1.bp.blogspot.com/-H9-MMyF3AgQ/Xl24ohwQraI/AAAAAAAAR28/yOsjH7o6H3gJBBL-kU8BxIWW8uRUuhIUgCNcBGAsYHQ/s640/extended-xss-search_2.png)](<https://1.bp.blogspot.com/-H9-MMyF3AgQ/Xl24ohwQraI/AAAAAAAAR28/yOsjH7o6H3gJBBL-kU8BxIWW8uRUuhIUgCNcBGAsYHQ/s1600/extended-xss-search_2.png>) [![](https://1.bp.blogspot.com/-rSz8EASCBts/Xl24ovH2UuI/AAAAAAAAR3A/n0S9Fd5XrWI6mDiZhtpD6Y2rY60jXyl5gCNcBGAsYHQ/s640/extended-xss-search_3.png)](<https://1.bp.blogspot.com/-rSz8EASCBts/Xl24ovH2UuI/AAAAAAAAR3A/n0S9Fd5XrWI6mDiZhtpD6Y2rY60jXyl5gCNcBGAsYHQ/s1600/extended-xss-search_3.png>) **[Download Extended-Xss-Search](<https://github.com/Damian89/extended-xss-search> "Download Extended-Xss-Search" )**