XSStrike – Fuzz and Bruteforce Parameters for XSS

XSStrike is a python which can fuzz and bruteforce parameters for XSS. It can also detect and bypass WAFs.

Installing XSStrike

Use the following command to download it

git clone http://ift.tt/2rXG43z

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command

pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting “d3v” in it.

For example: http://ift.tt/2thceLvd3v&category=1

After you enter your target URL, XSStrike will check if the target is protected by a WAF or not. If its not protected by WAF you will get three options

1.- Fuzzer: It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

2.- Striker: It bruteforces all the parameters one by one and generates the proof of concept in a browser window.

3.- Hulk: Hulk uses a different approach, it doesn’t care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

XSStrike can also bypass WAFs

XSStrike currently supports GET only but support for POST will be added soon. Unlike other stupid bruteforce programs, XSStrike has a small list of payloads but they are the best one. Most of them are carefully crafted by me.

XSStrike is inspired from BruteXSS and Intellifuzzer-XSS.

from KitPloit – PenTest Tools! http://ift.tt/2sX1Aa3



Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s