NoXss: Faster xss scanner which supports reflected-xss and dom-xss

NoXss

NoXss is a cross-site script vulnerability scanner supported reflected xss and dom-based xss. It’s very fast and suitable for testing millions of urls. It has found some xss vulnerabilities in the Bug Bounty program.

Features

• Fast and suitable for testing millions of urls
• Support Dom-based xss(use Chrome or Phantomjs) and reflected xss
• Only use 8 Payloads based on injection position now(not fuzz, more accurate, faster)
• Async request(use gevent) and Multi-processed
• Support single url, file, and traffic from Burpsuite
• Traffic filter based on an interface
• Support special headers(referer, cookie, customized token,e.g.)
• Support rescan quickly by id

How does NoXss work?

Payloads

NoXss uses only 8 payloads for scanning. These payloads are based on param’s reflected position. Fewer payloads make it faster than fuzzing.

Async&multi-process

NoXss is highly concurrent for using coroutine.

Support dom-based xss

More and more page is using dom to render html.NoXss can parse it with using Phantomjs(default) or chrome.

Analysis files

Some xss is difficult to scan.NoXss will save some files in traffic/ for analyzing, include:

• *.traffic(traffic file during scanning)
• *.reflect(param’s reflected result)
• *.redirect(30x response)
• *.error(some error happened such as timeout, connection reset,etc.)
• *.multipart(when a request is multipart-formed, not easy to scan)

Install

git clone https://github.com/lwzSoviet/NoXss.git

Ubuntu

• 1.apt-get install flex bison phantomjs
• 2.pip install -r requirements.txt

Centos

• 1.yum install flex bison phantomjs
• 2.pip install -r requirements.txt

MacOS

• 1.brew install grep findutils flex phantomjs
• 2.pip install -r requirements.txt

If you want to scan using “–browser=chrome”, you must install chrome manually. You can use “–check” to test the installation.
python start.py –check

Usage

python start.py --url url --save

python start.py --url url --cookie cookie --browser chrome --save  

python start.py --url url --cookie cookie --browser chrome-headless --save  

python start.py --file ./url.txt --save  

python start.py --burp ./test.xml --save  

python start.py --file file --filter

How to scan data from Burpsuite

In Proxy,”Save items” ==> “test.xml”

Then you can scan test.xml:

python start.py –burp=./test.xml

How to rescan

After scanning firstly, there will be taskid.traffic and taskid.reflect in ./traffic/:

• taskid.traffic: Web traffic of request(pickled).
• taskid.reflect: Reflected result (pickled)that included reflected params, reflected position,type and others.
  NoXss will use these middle files to rescan:
  python start.py –id taskid –save

Copyright (c) 2019 LwzSoviet

Source: https://github.com/lwzSoviet/