Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  • XSSHunter
  • XSStrike
  • Scan a single URL
  • Supplying POST data
  • Testing URL path components
  • Treat POST data as JSON
  • Using Proxies
  • tplmap
  • Sleepy Puppy
  • Commix
  • XSS Radar
  1. Pentest & Bug Bounty Resources and Techniques
  2. Web

Injection

PreviousWAF Detection/ EvasionNextGraphQL

Last updated 1 year ago

XSSHunter

Repo:

Info: This is a portable version of the source code running on https://xsshunter.com. It is designed to be easily-installable on any server for security professionals and bug bounty hunters who wish to test for XSS in a much more powerful way.

If you don't want to set up this software and would rather just start testing, see .

XSStrike

Repository:

Usage:

Scan a single URL

Option: -u or --url

Test a single webpage which uses GET method.

python xsstrike.py -u "http://example.com/search.php?q=query"

Supplying POST data

python xsstrike.py -u "http://example.com/search.php" --data "q=query"

Testing URL path components

Option: --path

Want to inject payloads in the URL path like http://example.com/search/<payload>, you can do that with --path switch.

python xsstrike.py -u "http://example.com/search/form/query" --path

Treat POST data as JSON

Option: --json

This switch can be used to test JSON data via POST method.

python xsstrike.py -u "http://example.com/search.php" --data '{"q":"query"}' --json

Using Proxies

Option: --proxy (Default 0.0.0.0:8080)

You have to set up your prox(y|ies) in core/config.py and then you can use the --proxy switch to use them whenever you want. More information on setting up proxies can be found here.

python xsstrike.py -u "http://example.com/search.php?q=query" --proxy

tplmap

Info: Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.

The tool and its test suite are developed to research the SSTI vulnerability class and to be used as offensive security tool during web application penetration tests.

The sandbox break-out techniques came from James Kett's Server-Side Template Injection: RCE For The Modern Web App, other public researches [1] [2], and original contributions to this tool [3] [4].

It fully compromises the server exploiting several code context and blind injection scenarios. It also supports eval()-like code injections in Python, Ruby, PHP, Java and generic unsandboxed template engines.

Sleepy Puppy

Info: Sleepy Puppy is a cross-site scripting (XSS) payload management framework which simplifies the ability to capture, manage, and track XSS propagation over long periods of time.

Commix

Info: Commix (short for [comm]and [i]njection e[x]ploiter) is an automated tool written by Anastasios Stasinopoulos (@ancst) that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or HTTP header.

XSS Radar

Info: XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.

Repo:

Repo:

Repo:

Repo:

https://github.com/mandatoryprogrammer/xsshunter
https://xsshunter.com
https://github.com/s0md3v/XSStrike/
https://github.com/s0md3v/XSStrike/wiki/Usage
https://github.com/epinna/tplmap
https://github.com/Netflix/sleepy-puppy
https://github.com/commixproject/commix
https://github.com/bugbountyforum/XSS-Radar