XSSRadare: Cross Site Scripting scanner using selenium webdriver

XSSRadare

Cross Site Scripting (XSS) scanner based on selenium webdriver

using XSSRadare you can scan a single URL or multiple URLs from XSS by using selenium web driver as a fuzzing interface, XSSRadare will help you to identify any XSS vulnerability in your web application.

XSSRadare will use some hardcoded payloads to test for XSS, for now, we prefer to write payload that contains alert javascript function because we already implemented the fuzzer to test for any alert triggered in the scanned page.

Installation

git clone https://github.com/mhaskar/XSSRadare.git

Requirement

You can install all the dependencies for XSSRadare using the following commands :

sudo ./system_requirments.sh

And make sure to add this line to your .bashrc file manually :

export PATH=$PATH:/opt/geckodriver

This line will make sure to link the geckodriver path to your current PATH so the XSSRadare can recognize it.

Note : sometimes you need to check your firefox compatibility with geckodriver in order to run the script correctly (currently we are using the latest one “geckodriver-v0.20.1 x64” version) please note the current version of Firefox on Kali Linux is (Firefox 52) which is not supported by the geckodriver version that we are using, so make sure to upgrade your firefox version if you are using Kali Linux, we are working on building a script to automate the whole process for you.

Usage

askar@hackbook:~# python XSSRadare.py  -h

 \ \/ / __/ __| _ \__ _ __| |___ _ _
  >  <\__ \__ \   / _` / _` / -_) '_|
 /_/\_\___/___/_|_\__,_\__,_\___|_|

[+] XSSRader Start working at : Tue May 29 01:39:59 2018

usage: XSSRadare.py [-h] [-u URL] [-v VIEW] [--stop] [--negative] [-fi FILE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     URL to scan
  -v VIEW, --view VIEW  view firefox (on/off)
  --stop                stop when you find a vulnerability
  --negative            show negative attempts
  -fi FILE, --file FILE
                        name of the urls file to scan

 

You can start a simple XSS scan for an url using the following command:

askar@hackbook:~# python XSSRadare.py --url "http://localhost/xss.php?name=askar&age=21"
 __  _____ ___ ___         _
 \ \/ / __/ __| _ \__ _ __| |___ _ _
  >  <\__ \__ \   / _` / _` / -_) '_|
 /_/\_\___/___/_|_\__,_\__,_\___|_|

[+] XSSRader Start working at : Tue May 29 01:49:22 2018

[+] XSS Found on http://localhost/xss.php with params age=21&name=<script>alert("XSSED:D:")</script>
[+] Scan finished , number of found XSS : 1 

askar@hackbook:~#

 

Source: https://github.com/mhaskar/

Share