xssfinder: detecting reflected xss in websites

by do son · Published August 10, 2018 · Updated May 1, 2024

XSS Finder

Some simple tools which I’m using frequently to find XSS. Keep in mind: Do not trust scripts only! Sometimes the vulnerability is more complex and needs special treatment 😉 Those scripts won’t find dom bases/dynamic XSS!

Why another XSS Find Tool?

Because most tools I tested did not find simple reflected XSS – that’s why I hacked this script together. And it works… if you know how to use it.

Download

git clone https://github.com/Damian89/xssfinder.git

checkGivenParameters.py

How to execute:

python3 checkGivenParameters.py -url “http://victim/?param1=test&param2=test2&foo=bar” -payload ‘[XSS”]’

This script…

searches for inputs, textareas, selects, buttons and uses their name/id values as additional get parameters
replaces every get value with the given payload and checks if it is reflected in the http body

Optional parameters:

payload

Hints

Using the default payload may result in a lot of false results.

Screenshots

XSS on a starbucks subdomain

XSS on a General Motors subdomain

parameterSearchInChunksSingleThread.py

How to execute:

python3 parameterSearchInChunksSingleThread.py -url “http://victim/” -paramlist params.txt –extended -extendedchar “<” -chunksize 75 –verbose -wait 5

This scripts…

searches for inputs, textareas, selects, buttons and uses their name/id as additional get parameters
adds also the current urls get parameters (if the exist)
Creates for every parameter a custom payload, creates then even sized chunks
a param-value query string based on every chunk is generated and then requested, a response is checked for every payload

Optional parameters:

paramlist
verbose
extended
chunksize (default: 75, using a bigger value may result in server errors due small client buffer settings!!)
extendedchar
wait (default: 0, wait time in seconds between requests)