### Install and Run XSStrike Source: https://github.com/s0md3v/xsstrike/blob/master/README.md Commands to clone the repository, install necessary dependencies via pip, and execute the main XSStrike script. ```bash git clone https://github.com/s0md3v/XSStrike cd XSStrike pip install -r requirements.txt --break-system-packages python xsstrike.py ``` -------------------------------- ### Updating XSStrike Source: https://github.com/s0md3v/xsstrike/wiki/Usage Checks for and applies updates to the current installation. It merges changes without overwriting existing local files. ```bash python xsstrike.py --update ``` -------------------------------- ### Basic URL Scanning with XSStrike Source: https://context7.com/s0md3v/xsstrike/llms.txt Scan a single URL for XSS vulnerabilities using GET or POST methods. XSStrike automatically detects WAF presence, analyzes reflection contexts, generates appropriate payloads, and tests them for successful execution. Supports JSON POST data and path injection. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" python xsstrike.py -u "http://example.com/search.php" --data "q=test&category=all" python xsstrike.py -u "http://example.com/api/search" --data '{"query":"test","limit":10}' --json python xsstrike.py -u "http://example.com/search/test/results" --path ``` -------------------------------- ### WAF Fuzzing Mode in XSStrike Source: https://context7.com/s0md3v/xsstrike/llms.txt Test Web Application Firewall (WAF) filter rules by sending various XSS-related strings and analyzing responses. This helps identify which characters and patterns are blocked, filtered, or allowed through. Supports fuzzing GET and POST parameters, with options for reduced delay. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" --fuzzer python xsstrike.py -u "http://example.com/search.php?q=test" --fuzzer -d 1 python xsstrike.py -u "http://example.com/search.php" --data "q=test" --fuzzer ``` -------------------------------- ### Configuring Logging Levels Source: https://github.com/s0md3v/xsstrike/wiki/Usage Demonstrates how to set console and file logging levels to manage output verbosity. File logging requires the --file-log-level flag to be active to function. ```bash python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level WARNING python xsstrike.py -u "http://example.com/search.php?q=query" --console-log-level DEBUG python xsstrike.py -u "http://example.com/search.php?q=query" --file-log-level INFO --log-file output.log ``` -------------------------------- ### Using Proxies in XSStrike Source: https://github.com/s0md3v/xsstrike/wiki/Usage Enables proxy support for requests. Proxies must be pre-configured in the core/config.py file before this flag can be utilized. ```bash python xsstrike.py -u "http://example.com/search.php?q=query" --proxy ``` -------------------------------- ### Configure Proxy Settings Source: https://context7.com/s0md3v/xsstrike/llms.txt Route traffic through an HTTP proxy for debugging or anonymity. Requires prior configuration in core/config.py. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" --proxy python xsstrike.py -u "http://example.com" --crawl --proxy -l 3 ``` -------------------------------- ### Manage Custom HTTP Headers Source: https://context7.com/s0md3v/xsstrike/llms.txt Configure custom HTTP headers for authentication or specific request requirements. Headers can be passed via command line or an interactive editor. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" --headers "Cookie: session=abc123\nAuthorization: Bearer token123\nX-Custom: value" python xsstrike.py -u "http://example.com/search.php?q=test" --headers ``` -------------------------------- ### POST /core/photon Source: https://context7.com/s0md3v/xsstrike/llms.txt A multi-threaded web crawler that discovers forms, parameters, and links while optionally performing DOM vulnerability checks. ```APIDOC ## POST /core/photon ### Description Crawls a website to map its structure, extracting forms and parameters for further security testing. ### Method POST ### Endpoint /core/photon ### Parameters #### Request Body - **seedUrl** (string) - Required - The starting URL. - **level** (int) - Required - Crawling depth. - **threadCount** (int) - Required - Number of concurrent threads. - **skipDOM** (boolean) - Required - Whether to skip DOM XSS scanning. ### Response #### Success Response (200) - **forms** (list) - Discovered forms with actions and inputs. - **processed_urls** (list) - Set of all crawled URLs. ``` -------------------------------- ### XSStrike Configuration Settings (Python) Source: https://context7.com/s0md3v/xsstrike/llms.txt This Python code snippet defines key configuration variables for the XSStrike tool. It includes settings for blind XSS payloads, proxy servers, minimum payload efficiency, request delays and timeouts, event handlers for payload generation, JavaScript functions for popups, built-in payloads for bruteforce mode, and fuzz strings for WAF testing. These settings allow users to customize the behavior and targeting of the XSStrike scanner. ```python # core/config.py - Key configuration options # Blind XSS payload (set your XSS hunter payload here) blindPayload = '\">' # Proxy configuration proxies = { 'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080' } # Minimum payload efficiency to display minEfficiency = 90 # Request settings delay = 0 # Default delay between requests threadCount = 10 # Default thread count timeout = 10 # Default request timeout # Event handlers for payload generation eventHandlers = { 'ontoggle': ['details'], 'onpointerenter': ['d3v', 'details', 'html', 'a'], 'onmouseover': ['a', 'html', 'd3v'] } # JavaScript functions for popups functions = ( '[8].find(confirm)', 'confirm()', '(confirm)()', 'co\\u006efir\\u006d()', '(prompt)``', 'a=prompt,a()' ) # Built-in payloads for bruteforce mode payloads = ( '\'"', # ... more payloads ) # Fuzz strings for WAF testing fuzzes = ( '', '', '', # ... more fuzz strings ) ``` -------------------------------- ### Execute Configurable HTTP Requests Source: https://context7.com/s0md3v/xsstrike/llms.txt The requester function acts as the core HTTP handler, supporting GET/POST methods, JSON payloads, proxy routing, and automatic User-Agent rotation for stealthy interaction with target servers. ```python def requester(url, data, headers, GET, delay, timeout): """ Make HTTP request with configured options. """ pass ``` -------------------------------- ### Fuzzing with XSStrike Source: https://github.com/s0md3v/xsstrike/wiki/Usage Enables the fuzzer to test filters and WAFs. The fuzzer uses random delays, which can be adjusted using the -d flag to improve performance. ```bash python xsstrike.py -u "http://example.com/search.php?q=query" --fuzzer ``` -------------------------------- ### Extract and Write URL Parameters via document.writeln Source: https://github.com/s0md3v/xsstrike/blob/master/test.html Uses the URL API to parse the current location and write a specific query parameter to the document using writeln. This is a common sink for testing DOM XSS. ```javascript document.writeln(new URL(window.location.href).searchParams.get("a")); ``` -------------------------------- ### Configure Logging Levels Source: https://context7.com/s0md3v/xsstrike/llms.txt Set verbosity levels for console output and file logging to assist in debugging and auditing scan results. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" --console-log-level WARNING python xsstrike.py -u "http://example.com/search.php?q=test" --file-log-level INFO --log-file scan_results.log ``` -------------------------------- ### POST /scan Source: https://context7.com/s0md3v/xsstrike/llms.txt The main scanning function that orchestrates DOM checking, WAF detection, context analysis, payload generation, and verification. ```APIDOC ## POST /scan ### Description Orchestrates the XSS vulnerability scanning process for a target URL, including WAF detection and payload verification. ### Method POST ### Endpoint /scan ### Parameters #### Request Body - **target** (string) - Required - Target URL to scan - **paramData** (dict) - Optional - POST parameters - **encoding** (function) - Optional - Encoding function - **headers** (dict) - Optional - HTTP headers - **delay** (float) - Optional - Delay between requests - **timeout** (int) - Optional - Request timeout - **skipDOM** (boolean) - Optional - Skip DOM XSS check - **skip** (boolean) - Optional - Skip confirmation prompts ### Request Example { "target": "http://example.com/search", "paramData": {"q": "test"}, "skipDOM": false } ### Response #### Success Response (200) - **status** (string) - Scan completion status - **vulnerabilities** (list) - List of discovered XSS vectors ``` -------------------------------- ### POST /core/wafDetector Source: https://context7.com/s0md3v/xsstrike/llms.txt Analyzes a target URL and its parameters to detect the presence of a Web Application Firewall (WAF) by injecting noisy payloads and inspecting response patterns. ```APIDOC ## POST /core/wafDetector ### Description Detects WAF presence by injecting a malicious payload and analyzing the response status, headers, and content patterns against known signatures. ### Method POST ### Endpoint /core/wafDetector ### Parameters #### Request Body - **url** (string) - Required - The target URL to scan. - **params** (dict) - Required - Request parameters. - **headers** (dict) - Required - HTTP headers to include in the request. - **GET** (boolean) - Required - True for GET, False for POST. - **delay** (int) - Required - Delay between requests in seconds. - **timeout** (int) - Required - Request timeout in seconds. ### Response #### Success Response (200) - **waf_name** (string|null) - The name of the detected WAF, or null if none found. ``` -------------------------------- ### Extract and Write URL Parameters via document.write Source: https://github.com/s0md3v/xsstrike/blob/master/test.html Uses URLSearchParams to retrieve a value from the query string and write it directly to the document. This method is often used to demonstrate injection vulnerabilities. ```javascript document.write(new URLSearchParams(window.location.search).get("b")); ``` -------------------------------- ### POST /core/requester Source: https://context7.com/s0md3v/xsstrike/llms.txt A robust HTTP request handler that supports proxying, automatic User-Agent rotation, and JSON data submission. ```APIDOC ## POST /core/requester ### Description Executes HTTP requests with advanced features like path injection, proxy support, and automatic User-Agent rotation. ### Method POST ### Endpoint /core/requester ### Parameters #### Request Body - **url** (string) - Required - Target URL. - **data** (dict) - Required - Request payload. - **GET** (boolean) - Required - Request method type. ### Response #### Success Response (200) - **response** (object) - The standard requests.Response object. ``` -------------------------------- ### POST /generate-payloads Source: https://context7.com/s0md3v/xsstrike/llms.txt Generates context-aware XSS payloads based on reflection analysis and filter effectiveness. ```APIDOC ## POST /generate-payloads ### Description Generates a set of XSS payloads tailored to the specific reflection context identified by the HTML parser. ### Method POST ### Endpoint /generate-payloads ### Parameters #### Request Body - **occurences** (dict) - Required - Context details from htmlParser - **response** (string) - Required - Raw response text ### Request Example { "occurences": {"25": {"context": "script", "details": {"quote": "\""}}}, "response": "" } ### Response #### Success Response (200) - **payloads** (dict) - Payloads categorized by confidence level (1-11) ``` -------------------------------- ### Execute URL Parameters via eval Source: https://github.com/s0md3v/xsstrike/blob/master/test.html Retrieves a parameter from the query string and executes it as JavaScript code using eval. This is a high-risk sink that can lead to arbitrary code execution. ```javascript eval(new URLSearchParams(window.location.search).get("c") || ""); ``` -------------------------------- ### POST /parse-html Source: https://context7.com/s0md3v/xsstrike/llms.txt Analyzes HTTP responses to identify XSS reflection contexts such as HTML, attribute, script, or comment tags. ```APIDOC ## POST /parse-html ### Description Parses the raw HTTP response to identify where user input is reflected and the specific context of that reflection. ### Method POST ### Endpoint /parse-html ### Parameters #### Request Body - **response** (object) - Required - The requests.Response object - **encoding** (function) - Optional - Encoding function ### Request Example { "response": "
test
" } ### Response #### Success Response (200) - **position** (dict) - Map of reflection positions and context details #### Response Example { "42": {"context": "attribute", "details": {"tag": "div", "type": "value", "quote": "\""}} } ``` -------------------------------- ### Crawl Websites for Forms and Parameters Source: https://context7.com/s0md3v/xsstrike/llms.txt The photon function provides a multi-threaded web crawler that discovers forms, parameters, and links, while optionally performing DOM vulnerability checks and identifying outdated JavaScript libraries. ```python def photon(seedUrl, headers, level, threadCount, delay, timeout, skipDOM): """ Crawl website to discover forms and parameters. """ pass ``` -------------------------------- ### Detect WAF via Payload Analysis Source: https://context7.com/s0md3v/xsstrike/llms.txt The wafDetector function identifies Web Application Firewalls by injecting a noisy payload and analyzing the HTTP response status, headers, and content against known WAF signatures. ```python def wafDetector(url, params, headers, GET, delay, timeout): """ Detect WAF by analyzing response to malicious payload. """ pass ``` -------------------------------- ### Orchestrate XSS Scan Workflow Source: https://context7.com/s0md3v/xsstrike/llms.txt The scan function serves as the primary entry point for the vulnerability assessment process. It coordinates DOM checking, WAF detection, and the iterative injection and verification of payloads across target parameters. ```python def scan(target, paramData, encoding, headers, delay, timeout, skipDOM, skip): """ Perform XSS vulnerability scan on a target URL. """ pass ``` -------------------------------- ### Automating Scans with Skip Flags Source: https://github.com/s0md3v/xsstrike/wiki/Usage Utilizes flags to skip user confirmation prompts and DOM scanning. These options are useful for automating batch scans and reducing execution time. ```bash python xsstrike.py -u "http://example.com/search.php?q=query" --skip python xsstrike.py -u "http://example.com/search.php?q=query" --skip-dom ``` -------------------------------- ### Payload Bruteforcing with XSStrike Source: https://context7.com/s0md3v/xsstrike/llms.txt Test custom payloads from a file or use XSStrike's built-in payload list. This mode skips context analysis and directly tests if payloads are reflected unmodified. Can use default payloads or specify a custom file. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" -f default ``` -------------------------------- ### Analyze HTML Reflection Contexts Source: https://context7.com/s0md3v/xsstrike/llms.txt The htmlParser function processes HTTP responses to identify where user input is reflected. It categorizes the reflection into specific contexts like HTML body, attributes, scripts, or comments to inform payload generation. ```python def htmlParser(response, encoding): """ Parse HTTP response to find XSS injection contexts. """ pass ``` -------------------------------- ### Control Request Timing and Delays Source: https://context7.com/s0md3v/xsstrike/llms.txt Adjust request frequency and timeouts to bypass rate limiting or handle slow server responses. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" -d 2 python xsstrike.py -u "http://example.com/search.php?q=test" --timeout 4 python xsstrike.py -u "http://example.com" --crawl -t 5 -d 1 --timeout 5 -l 3 ``` -------------------------------- ### Bruteforce XSS Payloads with XSStrike Source: https://context7.com/s0md3v/xsstrike/llms.txt Perform XSS bruteforcing using custom payload files or POST parameters. This allows for testing specific injection vectors against target parameters. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" -f /path/to/payloads.txt python xsstrike.py -u "http://example.com/search.php" --data "q=test" -f payloads.txt -e base64 ``` -------------------------------- ### POST /core/dom Source: https://context7.com/s0md3v/xsstrike/llms.txt Analyzes provided JavaScript or HTML response content to identify potential DOM-based XSS vulnerabilities by tracking data flow from sources to sinks. ```APIDOC ## POST /core/dom ### Description Scans response text for DOM XSS by identifying tainted variables flowing from user-controllable sources (e.g., location.href) to dangerous sinks (e.g., innerHTML). ### Method POST ### Endpoint /core/dom ### Parameters #### Request Body - **response** (string) - Required - The HTTP response text to analyze. ### Response #### Success Response (200) - **vulnerabilities** (list) - A list of highlighted lines showing the path from source to sink. ``` -------------------------------- ### Web Crawling Mode in XSStrike Source: https://context7.com/s0md3v/xsstrike/llms.txt Crawl a target website to discover and test multiple endpoints automatically. The crawler extracts forms, parameters, and links, then tests each discovered parameter for XSS vulnerabilities. Supports custom depth and multi-threading, and can load seed URLs from a file. ```bash python xsstrike.py -u "http://example.com" --crawl python xsstrike.py -u "http://example.com" --crawl -l 5 -t 10 python xsstrike.py --seeds urls.txt --crawl -l 3 python xsstrike.py -u "http://example.com" --seeds additional_urls.txt --crawl -l 4 ``` -------------------------------- ### Blind XSS Injection with XSStrike Source: https://context7.com/s0md3v/xsstrike/llms.txt Inject blind XSS payloads during crawling to detect stored XSS vulnerabilities that execute in different contexts. Requires configuring the blind payload in core/config.py. Can be combined with increased crawl depth and multi-threading. ```bash # First, configure blind payload in core/config.py: # blindPayload = '\">' python xsstrike.py -u "http://example.com" --crawl --blind python xsstrike.py -u "http://example.com" --crawl -l 4 --blind -t 5 ``` -------------------------------- ### Perform DOM XSS Detection Source: https://context7.com/s0md3v/xsstrike/llms.txt Scan for DOM-based XSS vulnerabilities by analyzing client-side JavaScript. This feature can be toggled to optimize scan speed. ```bash python xsstrike.py -u "http://example.com/page.php?id=1" python xsstrike.py -u "http://example.com/page.php?id=1" --skip-dom ``` -------------------------------- ### Apply Payload Encoding Source: https://context7.com/s0md3v/xsstrike/llms.txt Encode payloads to bypass security filters or meet specific application requirements. ```bash python xsstrike.py -u "http://example.com/search.php?q=test" -e base64 python xsstrike.py -u "http://example.com/search.php?q=test" -f payloads.txt -e base64 ``` -------------------------------- ### Inject URL Parameters into DOM via innerHTML Source: https://github.com/s0md3v/xsstrike/blob/master/test.html Retrieves a parameter from the query string and injects it into a specific DOM element using innerHTML. This can lead to XSS if the input is not properly sanitized. ```javascript document.querySelector("#xss-d").innerHTML = new URLSearchParams(window.location.search).get("d"); ``` -------------------------------- ### Generate Context-Aware XSS Payloads Source: https://context7.com/s0md3v/xsstrike/llms.txt The generator function creates tailored XSS payloads based on the reflection context identified by the parser. It organizes payloads by confidence level, ranging from simple HTML injections to complex attribute breakouts. ```python def generator(occurences, response): """ Generate XSS payloads based on reflection contexts. """ pass ``` -------------------------------- ### Analyze DOM XSS Vulnerabilities Source: https://context7.com/s0md3v/xsstrike/llms.txt The dom function performs static analysis on JavaScript code to track data flow from user-controllable sources to dangerous execution sinks, highlighting potential DOM-based XSS vulnerabilities. ```python def dom(response): """ Analyze response for DOM XSS vulnerabilities. """ pass ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.