Updated fork of XSStrike: The most advanced XSS scanner.
Project description
XSStrike
Advanced XSS Detection Suite
XSStrike Wiki • Usage • FAQ • For Developers • Compatibility • Gallery
XSStrike Reborn is an updated fork of XSStrike. XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.
Instead of injecting payloads and checking it works like all the other tools do, XSStrike analyses the response with multiple parsers and then crafts payloads that are guaranteed to work by context analysis integrated with a fuzzing engine. Here are some examples of the payloads generated by XSStrike:
}]};(confirm)()//\
<A%0aONMouseOvER%0d=%0d[8].find(confirm)>z
</tiTlE/><a%0donpOintErentER%0d=%0d(prompt)``>z
</SCRiPT/><DETAILs/+/onpoINTERenTEr%0a=%0aa=prompt,a()//
Apart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.
Main Features
- Reflected and DOM XSS scanning
- Multi-threaded crawling
- Context analysis
- Configurable core
- WAF detection & evasion
- Outdated JS lib scanning
- Intelligent payload generator
- Handmade HTML & JavaScript parser
- Powerful fuzzing engine
- Blind XSS support
- Highly researched work-flow
- Complete HTTP support
- Bruteforce payloads from a file
- Powered by Photon, Zetanize and Arjun
- Payload Encoding
Documentation
NOTE: replace python xsstrike.py with python xsstrike_reborn.py to use this project.
FAQ
- It says fuzzywuzzy isn't installed but it is.
- What's up with Blind XSS?
- Why XSStrike boasts that it is the most advanced XSS detection suite?
- I like the project, what enhancements and features I can expect in future?
- What's the false positive/negative rate?
- Tool xyz works against the target, while XSStrike doesn't!
- Can I copy it's code?
- What if I want to embed it into a proprietary software?
Gallery
DOM XSS
Reflected XSS
Crawling
Fuzzing
Bruteforcing payloads from a file
Interactive HTTP Headers Prompt
Hidden Parameter Discovery
Contribution, Credits & License
Ways to contribute
- Suggest a feature
- Report a bug
- Fix something and open a pull request
- Help me document the code
- Spread the word
Licensed under the GNU GPLv3, see LICENSE for more information.
The WAF signatures in /db/wafSignatures.json are taken & modified from sqlmap. I extracted them from sqlmap's waf detection modules which can found here and converted them to JSON.
/plugins/retireJS.py is a modified version of retirejslib.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file xsstrike_reborn-4.1.0.tar.gz.
File metadata
- Download URL: xsstrike_reborn-4.1.0.tar.gz
- Upload date:
- Size: 56.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: python-requests/2.28.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
36bfec0a8f4c5734e87b6647620ec6c686ab53ce3470954e7a2653907860e6f1
|
|
| MD5 |
6b5d2a28f907a141d1dba674c49349b3
|
|
| BLAKE2b-256 |
806b7d016165e7733f8ca78a29f70432c610eccd24b3170454baa26069ee8281
|
File details
Details for the file xsstrike_reborn-4.1.0-py3-none-any.whl.
File metadata
- Download URL: xsstrike_reborn-4.1.0-py3-none-any.whl
- Upload date:
- Size: 19.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: python-requests/2.28.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
310cdb3b93436724111e6703562c9e2e4dbfc30fe86b13b246fab1dc68b7fc3b
|
|
| MD5 |
332be467b9fc558e5d1890eb3f64f424
|
|
| BLAKE2b-256 |
9e6ff11742415c35a41bd52836fcd890e09f89c98f385d3ad015f68c0318683c
|
