xsssniper: An automatic XSS discovery tool
xsssniper is a handy xss discovery tool with mass scanning functionalities.
What it does is scanning target URL for GET parameters and then inject an XSS payload (Y) into them and parse the response for artifacts of the injection (Z).
The simplest example would be to inject <script type=”text/javascript”>window.alert(‘lol’)</script> and check for <script type=”text/javascript”>window.alert(‘lol’)</script>, if we have a match maybe we have just found an XSS.
If no check is specified xssniper will consider payload and check the same.
If no payload is specified as well a special file will be parsed for common payloads (lib/payloads.xml, feel free to contribute!).
Another useful feature is the ability to crawl the target URL for relative links. Every link found is added to the scan queue and processed, so it’s easier to test an entire website.
In the end, this method is not fooled proof but it’s a good heuristic to mass find injection points and test escape strategies. Also since there is no browser emulation is your duty to manual test discovered injections against various browser’s xss protections.
Download
git clone https://github.com/gbrindisi/xsssniper.git
Usage
Examples:
Scanning a single url with GET params:
$ python xsssniper.py -u “http://target.com/index.php?page=test”
Scanning a single url with POST params:
$ python xsssniper.py -u “http://target.com/index.php” –post –data=POST_DATA
Crawl a single url looking for forms to scan:
$ python xsssniper.py -u “http://target.com” –forms
Mass scan an entire website:
$ python xsssniper.py -u “http://target.com” –crawl
Mass scan entire website forms included:
$ python xsssniper.py -u “http://target.com” –crawl –forms
Analyze target page javascript (embedded and linked) to search for common sinks and sources:
$ python xsssniper.py -u “http://target.com” –dom
Copyright (c) 2012, Gianluca Brindisi < g@brindi.si >
Source: https://github.com/gbrindisi/