XSSRadare: Cross Site Scripting scanner using selenium webdriver


Cross Site Scripting (XSS) scanner based on selenium webdriver

using XSSRadare you can scan a single URL or multiple URLs from XSS by using selenium web driver as a fuzzing interface, XSSRadare will help you to identify any XSS vulnerability in your web application.

XSSRadare will use some hardcoded payloads to test for XSS, for now, we prefer to write payload that contains alert javascript function because we already implemented the fuzzer to test for any alert triggered in the scanned page.


git clone https://github.com/mhaskar/XSSRadare.git


You can install all the dependencies for XSSRadare using the following commands :

sudo ./system_requirments.sh

And make sure to add this line to your .bashrc file manually :

export PATH=$PATH:/opt/geckodriver

This line will make sure to link the geckodriver path to your current PATH so the XSSRadare can recognize it.

Note : sometimes you need to check your firefox compatibility with geckodriver in order to run the script correctly (currently we are using the latest one “geckodriver-v0.20.1 x64” version) please note the current version of Firefox on Kali Linux is (Firefox 52) which is not supported by the geckodriver version that we are using, so make sure to upgrade your firefox version if you are using Kali Linux, we are working on building a script to automate the whole process for you.


askar@hackbook:~# python XSSRadare.py  -h

\ \/ / __/ __| _ \__ _ __| |___ _ _
> <\__ \__ \ / _` / _` / -_) '_|

[+] XSSRader Start working at : Tue May 29 01:39:59 2018

usage: XSSRadare.py [-h] [-u URL] [-v VIEW] [--stop] [--negative] [-fi FILE]

optional arguments:
-h, --help show this help message and exit
-u URL, --url URL URL to scan
-v VIEW, --view VIEW view firefox (on/off)
--stop stop when you find a vulnerability
--negative show negative attempts
-fi FILE, --file FILE
name of the urls file to scan


You can start a simple XSS scan for an url using the following command:

askar@hackbook:~# python XSSRadare.py --url "http://localhost/xss.php?name=askar&age=21"

__ _____ ___ ___ _
\ \/ / __/ __| _ \__ _ __| |___ _ _
> <\__ \__ \ / _` / _` / -_) '_|

[+] XSSRader Start working at : Tue May 29 01:49:22 2018

[+] XSS Found on http://localhost/xss.php with params age=21&name=<script>alert("XSSED:D:")</script>
[+] Scan finished , number of found XSS : 1



Source: https://github.com/mhaskar/