XSStrike: A XSS Detection & Exploitation Kit

2017-09-04T06:11:43
ID PENTESTIT:46DDE7B59288C02F0628AFAED6926DF6
Type pentestit
Reporter Black
Modified 2017-09-04T06:11:43

Description

PenTestIT RSS Feed

If you remember a couple of weeks back, I blogged about XSS Radar, a Google Chrome extension to help you discover cross-site scripting vulnerabilities. This post is about - XSStrike, a similar tool to help you find cross-site scripting vulnerabilities, but it is coded in Python.

XSStrike

What is XSStrike?

XSStrike LogoXSStrike is an open source python script with fuzzing and web application firewall bypassing features, designed to detect and exploit cross-site scripting (XSS) vulnerabilities. It requires Python 2.7 with a few dependencies. It stores the cross-site scripting payloads in a SQLite database: db.sqlite. These are the features provided by XSStrike:

  • Fuzzes a parameter and builds a suitable payload. The Fuzzer module checks where and how many times the input gets reflected & intelligently tries to break out of the context, it builds a suitable payload if successful.
  • Brute-forces parameters with payloads. This is the Striker module, which is a payload bruteforcer which brute-forces all the parameters.
  • Has an inbuilt crawler like functionality. This is the Spider module, which finds all links present in the homepage of the target and checks XSS.
  • Can reverse engineer the rules of a WAF/Filter. This is done using the Ninja module that reverse engineers rules of filters/WAFs and can suggest payloads.
  • Detects and tries to bypass Web Application Firewalls. This is done using the Hulk module, which injects polyglots and payloads into the selected parameter.
  • Both HTTP GET and POST methods supported.
  • Most of the payloads are hand crafted.
  • Negligible number of false positives.
  • Opens the POC in a browser window using mechanize.

As of now, XSStrike can detect and try to bypass Mod Security, Web Knight and F5 BIG IP firewalls. If it does not detect these firewalls, it still tries to work around them. As as fuzzing goes, you can configure HTML comment, empty tag attributes, any tag attribute, HTML data or plain-text, or within a script.

Download & Install XSStrike:

You start by checking out the tools GIT repository and then installing the dependencies.

git clone https://github.com/UltimateHackers/XSStrike && cd XSStrike
pip install -r requirements.txt

You are now ready to run the tool!

The post XSStrike: A XSS Detection & Exploitation Kit appeared first on PenTestIT.