Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  • XSSER
  • WFUZZ
  • XSStrike
  • Scan a single URL
  • Supplying POST data python
  • Supply HTTP headers
  1. Pentest & Bug Bounty Resources and Techniques
  2. Web
  3. Injection

Cross-Site Scripting (XSS)

XSSER

xsser --auto=<URL> --cookie=<COOKIE>

WFUZZ

Wfuzz is another popular tool used to fuzz applications not only for XSS vulnerabilities, but also SQL injections, hidden directories, form parameters, and more. It is included in Kali by default.

Basic usage of Wfuzz includes specifying a wordlist file including the payloads to use with the -z flag, and the URL to test, replacing the parameter in question with FUZZ. We can also set the -c flag to get color output.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt http://domain.com/application/index.php?page=FUZZ

Also of use, when fuzzing an application where many different response codes might be encountered, the --hc flag can be utilized to ignore certain responses, such as 404 codes.

Another helpful feature of Wfuzz is the ability to encode payloads in order to bypass defensive filters more effectively.

Simply append the desired encoder (in this case urlencode) to the specified file, separated by a comma, to encode the payloads.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt,urlencode http://domain.com/application/index.php?page=FUZZ

XSStrike

It is a dedicated suite for detecting cross-site scripting vulnerabilities that includes an intelligent payload generator, a fuzzer, a crawler, WAF detection, and more. XSStrike is currently in beta.

git clone https://github.com/s0md3v/XSStrike

cd XSStrike
pip3 install -r requirements.txt

This tool begins by checking for DOM-based XSS vulnerabilities, and the potentially vulnerable parameters are displayed on the screen. Reflected XSS is tested for next, and the interactive payload generator displays the payload and the projected likelihood of success. To continue scanning, hit y at the prompt.

Scan a single URL

Option: -u or --url. Test a single webpage which uses GET method.

python xsstrike.py -u "http://example.com/search.php?q=query"

Supplying POST data python

xsstrike.py -u "http://example.com/search.php" --data "q=query"

Supply HTTP headers

Option: --headers. This option will open your text editor (default is 'nano') and you can simply paste your HTTP headers and press Ctrl + S to save.

If your operating system doesn't support this or you don't want to do this anyway, you can simply add headers from command line separated by as follows:

python xsstrike.py -u "http://example.com/page.php?q=query" --headers "Accept-Language: en-US\nCookie: null" --file-log-level DEBUG --log-file output.log
PreviousGraphQLNextSQL Injection

Last updated 9 months ago