XSStrike is an advanced XSS detection suite. It has a powerful fuzzing engine and provides zero false positive results using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads. It is intelligent enough to detect and break out of various contexts.
Why XSStrike?
Every XSS scanner out there has a list of payloads, they inject the payloads and if the payload is reflected into the webpage, it is declared vulnerable but that’s just stupid. XSStrike on the other hand analyses the response with multiple parsers and then crafts payloads that are guaranteed to work. Here are some examples of the payloads generated by XSStrike:
Apart from that, XSStrike has crawled, fuzzing, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities.
Features
- Reflected and DOM XSS Scanning
- Multithreaded crawling
- Context analysis
- Configurable Core
- Highly Researched Workflow
- WAF detection & evasion
- Handmade HTML & JavaScript parser
- Powerful fuzzing engine
- Intelligent payload generator
- Complete HTTP Support
- Powered by Photon, Zetanize, and Arjun
Changelog
v3.1.2
- Fixed POST data handling
- Support for JSON POST data
- Support for URL rewriting
- Cleaner crawling dashboard
- No more weird characters while scanning DOM
- Better DOM XSS scanning
- Handle Unicode while writing to file
- Handle connection reset
- Added the ability to add headers from the command line
- Fixed issue which caused foundParams to not be tested
Installing
git clone https://github.com/s0md3v/XSStrike.git cd XSStrike pip install -r requirements.txt
Usage
python xsstrike
DOM XSS
Reflected XSS
Crawling
Hidden Parameter Discovery
Interactive HTTP Headers Prompt
Copyright (c) 2018 Somdev Sangwan
Source: https://github.com/s0md3v/