Advanced XSS Detection and Exploitation Suite: XSStrike

2018-11-15T05:14:37
ID N0WHERE:172021
Type n0where
Reporter N0where
Modified 2018-11-15T05:14:37

Description

XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler. Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine

Advanced XSS Detection and Exploitation Suite: XSStrike

Main Features

  • Reflected and DOM XSS scanning
  • Multi-threaded crawling
  • Context analysis
  • Configurable core
  • WAF detection & evasion
  • Intelligent payload generator
  • Handmade HTML & JavaScript parser
  • Powerful fuzzing engine
  • Blind XSS support
  • Highly researched work-flow
  • Complete HTTP support
  • Bruteforce payloads from a file
  • Powered by Photon , Zetanize and Arjun
  • Payload Encoding

Dependencies


Python Versions

XSStrike is fully compatible with python versions >= 3.4

Operating Systems

XSStrike has been tested on Linux (Arch, Debian, Ubnutu), Termux, Windows (7 & 10), Mac, and works as expected. Feel free to report any bugs you encounter.

Colors

Mac & Windows don’t support ANSI escape sequences so the output won’t be colored on Mac & Windows.

Dependencies

  • tld
  • requests
  • fuzzywuzzy

Usage

usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS]
                   [--fuzzer] [--update] [--timeout] [--params] [--crawl] [--blind]
                   [--verbose] [--skip-dom] [--headers] [--proxy] [-d DELAY] [-e ENCODING]

optional arguments:
  -h, --help            show this help message and exit
  -u, --url             target url
  --data                post data
  -v, --verbose         verbose output
  -f, --file            load payloads from a file
  -t, --threads         number of threads
  -l, --level           level of crawling
  -t, --encode          payload encoding
  --fuzzer              fuzzer
  --update              update
  --timeout             timeout
  --params              find params
  --crawl               crawl
  --proxy               use prox(y|ies)
  --blind               inject blind xss payloads while crawling
  --skip                skip confirmation dialogue and poc
  --skip-dom            skip dom checking
  --headers             add headers
  -d, --delay           delay between requests

Advanced XSS Detection and Exploitation Suite: XSStrike Download