Would it be possible to support second order XSS? That is inject the payload on X URL, and then check Y to see if injection is successful where Y could even be seperate domain.

The SQLmap has a great functionality of being able to use the request from file. Is it possible to implement something like that for XSStrike? I can see an example where language from "Accept-Language" is reflected back from the server within the HTTP response. Also, it would ease up integration with other tools or usecases, like using POST with data in URI + body.

When i executed your script i got this message at startup

/home/terabyte/.local/lib/python2.7/site-packages/fuzzywuzzy/fuzz.py:35: UserWarning: Using slow pure-python SequenceMatcher. Install python-Levenshtein to remove this warning
  warnings.warn('Using slow pure-python SequenceMatcher. Install python-Levenshtein to remove this warning')

PS : its a warning

Requirement already satisfied: fuzzywuzzy in /usr/local/lib/python2.7/dist-packages

How can I fix this ? :(

Hey there,
The cookies are not supported by your tool, the cookie variable was not used anywhere in your code.

Hi, I'm using Kali Linux and want to try XSStrike, but when I try to launch it, I have an error message:
"Traceback (most recent call last):
File "./xsstrike", line 21, in
from core.injector import inject
File "/root/XSStrike/core/injector.py", line 9, in
from core.test_param_check import test_param_check
File "/root/XSStrike/core/test_param_check.py", line 4, in
from fuzzywuzzy import fuzz # Module for fuzzy matching
ModuleNotFoundError: No module named 'fuzzywuzzy'
"
when I try to install all the requirements with "pip install -r requirements.txt" a have such a message:
"Requirement already satisfied: fuzzywuzzy in /usr/local/lib/python2.7/dist-packages (from -r requirements.txt (line 1))
"

How can I resolve this one???

The mechanize dependency is only supported in Python 2.7 with documented resistance to putting out a Python 3 compatible version. This prevents the project from offering full Python 3 support.

Hey Guys,

Can you update please what is the correct syntax to add cookie to the request?
The current cookie is as follows:
qa=WSAFEDADDFDFDFDF363DD6903C7D33875645B460A08CBCD4C918B1GFGDGJHDSD435345345435C3FFDBB66874074578B59EA0D; __RequestVerification=2Ksdf5UKbXSr_Moxq59OjbghgKpCHENwf; path=/; domain=qa.example.com;

I've tried using brackets, semicolon etc with no luck.

Thanks!
Z0rkan

Is it possible to scan a request which needs to have data in both URI as well as body? When I transform request to GET, or move all the parameters into POST, the tested website doesn't work. Hence I need to be able to instruct XSStrike to use both parameters in POST body as well as URI. At this moment, I don't see the option.

The colors module is removed from the core because of which i am not able to run this tool please update it

$ python xsstrike.py
Traceback (most recent call last):
File "xsstrike.py", line 5, in
from core.colors import end, red, white, green, yellow, run, bad, good, info, que
ImportError: No module named colors

The program is terminated for unknow error, the output is
[?] Enter a url: Traceback (most recent call last): File "./xsstrike", line 256, in <module> main() #This is the true start of the program File "./xsstrike", line 219, in main target = input('%s Enter a url: ' % que) EOFError
I've tried on both MacOS and kali system, anyone has similar problems please?

This happened after the latest update

Traceback (most recent call last):
File "xsstrike", line 17, in
from urllib.parse import urlparse, parse_qs, quote_plus
ImportError: No module named parse

It should be helpful to keep the response of the reflection tests in variables to lookup for each reflection, not sending the same payload, receiving the same answer, for each payload again. E.g. on 21 reflections the same three payloads will be sent 21 times.
See screenshot for repeatition on each reflection, an new request is sent:

If I understand correctly, the data parameter has to be a dictionary, where now it's actually a string:

http://docs.python-requests.org/en/master/user/quickstart/#more-complicated-post-requests

The result of my debugging is that no actual POST parameters are posted, thus the whole POST scans don't actually scan anything.

sorry i can't test post...
can u told us how to test the post parameter
thank u

Doesn't Exist

https://pypi.python.org/simple/webbrowser/

Hi,
I wanted to use XSStrike on XSS I found, but it didn't recognize it. As you can see on the piucture, it's a very simple GET with a single parameter returned in the response. No WAF, no output encoding, no session required.

While reviewing your tool (XSStrike tool review), we found that your website is not working.

Hi, Somdev Sangwan,
Nice xss detector, but I'm really confused about the relationship between "Levenshtein Algorithm For Accuracy", as I met many false positives recently.
So u mind to explain this confusion ?
Thx!

I cann't find the Levenshtein in your python code。
मैंने आपके टूल का परीक्षण करने या झूठी सकारात्मक पाया।

I am running the tool against: https://pentesterlab.com/exercises/web_for_pentester

Get the following error:

$ python xsstrike
  ____  ___  _________ _________ __          __ __           
  \   \/  / /   _____//   _____//  |________|__|  | __ ____  
   \     /  \_____  \ \_____  \\   __\_  __ \  |  |/ // __ \ 
   /     \  /        \/        \|  |  |  | \/  |    <\  ___/ 
  /___/\  \/_______  /_______  /|__|  |__|  |__|__|_ \\___  >
        \_/        \/        \/                     \/    \/ v2.0

[~] Checking for update
[?] Enter a url: http://192.168.0.31/xss/example1.php?name=hacker
[?] Enter cookie (if any): 
[?] Would you like to look for hidden parameters? [y/N] 
[+] WAF Status: Offline
--------------------------------------------------
[~] Testing parameter name
[+] Filter Strength : Low or None
[+] Payload: <svg/onload=(confirm)()>
[+] Efficiency: 100%
[?] A payload with 100% efficiency was found. Continue scanning? [y/N] 
Traceback (most recent call last):
  File "xsstrike", line 757, in <module>
    input() #This is the true start of the program
  File "xsstrike", line 750, in input
    initiator(url, GET, POST)
  File "xsstrike", line 659, in initiator
    filter_checker(url, param_data, GET, POST) # Launces filter checker
  File "xsstrike", line 246, in filter_checker
    print '%s Target doesn\'t seem to respond properly. Error Code: %s' % (bad, re.search(r'\d\d\d', str(e)).group())
AttributeError: 'NoneType' object has no attribute 'group'

Can you write an example of using POST feature?

that is a programming issue as i know

Traceback (most recent call last):
File "xsstrike", line 1070, in
post_choice() #Printing menu items which supports POST method
File "xsstrike", line 1019, in post_choice
param_data = extractParams(param_data) #Sending POST data to a module which can arrange them
File "xsstrike", line 821, in extractParams
param_data[item.split('=',1)[0]] = item.split('=',1)[1]
IndexError: list index out of range

[?] Enter the target URL: http://./.php
[?] Enter cookie (if any):
[!] The URL you entered seems to use POST Method.
[?] Enter post data: =&=d3v&=&****=&=&****=

1. Striker
2. Ninja
   Enter your choice: 1

[>] Payloads loaded: 17
[>] Striking the parameter(s)
[>] Testing parameter: ****
[>] Payloads injected: 17 / 17
[-] '' parameter not vulnerable.
[>] Testing parameter: ****
[>] Payloads injected: 17 / 17
[-] '' parameter not vulnerable.
[>] Testing parameter: *********
[>] Payloads injected: 17 / 17
[-] '' parameter not vulnerable.
[>] Testing parameter: **********
[>] Payloads injected: 17 / 17
[-] '' parameter not vulnerable.
[>] Testing parameter: ******

] Payloads injected: 17 / 17
[-] '' parameter not vulnerable.
[>] Testing parameter:
[>] Payloads injected: 17 / 17
[-] '' parameter not vulnerable.

Traceback (most recent call last):
  File "xsstrike", line 1121, in <module>
    post_choice() #Printing menu items which supports POST method
  File "xsstrike", line 1064, in post_choice
    POST()
  File "xsstrike", line 651, in POST
    complete(conclusion)
NameError: global name 'conclusion' is not defined

XSStrike throws an error when crawling some pages.

Steps to reproduce:

python3 xsstrike.py -u http://testphp.vulnweb.com/ --crawl

[~] Scanning search.php?test=query, searchFor
Traceback (most recent call last):
File "xsstrike.py", line 220, in
response = requester(url, paramsCopy, headers, GET, delay).text
File "/home/meow/XSStrike/core/requester.py", line 17, in requester
response = requests.post(url, data=data, headers=headers, verify=False)
File "/home/meow/.local/lib/python3.6/site-packages/requests/api.py", line 116, in post
return request('post', url, data=data, json=json, **kwargs)
File "/home/meow/.local/lib/python3.6/site-packages/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/home/meow/.local/lib/python3.6/site-packages/requests/sessions.py", line 510, in request
prep = self.prepare_request(req)
File "/home/meow/.local/lib/python3.6/site-packages/requests/sessions.py", line 453, in prepare_request
hooks=merge_hooks(request.hooks, self.hooks),
File "/home/meow/.local/lib/python3.6/site-packages/requests/models.py", line 313, in prepare
self.prepare_url(url, params)
File "/home/meow/.local/lib/python3.6/site-packages/requests/models.py", line 387, in prepare_url
raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL 'search.php?test=query': No schema supplied. Perhaps you meant http://search.php?test=query?

Traceback (most recent call last):
File "xsstrike", line 21, in
from core.injector import inject
File "/root/XSStrike/core/injector.py", line 9, in
from core.test_param_check import test_param_check
File "/root/XSStrike/core/test_param_check.py", line 4, in
from fuzzywuzzy import fuzz # Module for fuzzy matching
ModuleNotFoundError: No module named 'fuzzywuzzy'

Hello

I'm using a system behind a proxy. How to include proxy in the code ?

Thank you

Hi,
I'm testing a web app, which is quite accessible without problems. However, when I try to use the URL, it simply says "Target isn't responding properly." and it won't let me further. How to overcome that issue?
Thanks

I wrote a simple reflection xss vunerable demo:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<script>
    function getParameterByName(name, url) {
        if(!url) url = window.location.href;
        name = name.replace(/[\[\]]/g,"\\$&")
        var regex = new RegExp("[?&]" + name + "(=([^&#]*)|&|#|$)"),
            results = regex.exec(url);
        if(!results) return null;
        if(!results[2]) return '';
        return decodeURIComponent(results[2].replace(/\+/g)," ")
    }
    var content = getParameterByName('test')
    var script = document.createElement('script')
    script.innerHTML = content
    document.body.appendChild(script)
</script>
</body>
</html>

and then start the xsstrike to check it :

[?] Enter a url: http://localhost:8888/test/test.html?test=d3v
[?] Enter cookie (if any):
[?] Would you like to look ofr hiddent parameters? [y/N]
[+] WAF status: Offline
-------------------------------------------------------
[~]Testing parameter test
[-] Filter Strength : High
[-] No reflection found.
[!] Executing project HULK for blind XSS Detection
.................

However enter 'http://localhost:8888/test/test.html?test=alert()' in browser url actually show a reflection xss attack

Hi there. Add please proxy support, thanks

Not working in mac.

When i run python xsstrike following error occur.

[~] Checking for updates... Traceback (most recent call last): File "xsstrike", line 128, in <module> update() File "xsstrike", line 39, in update xsstrike = br.open('https://github.com/UltimateHackers/XSStrike/blob/master/xsstrike').read() File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/mechanize/_mechanize.py", line 254, in open return self._mech_open(url_or_request, data, timeout=timeout) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/mechanize/_mechanize.py", line 284, in _mech_open response = UserAgentBase.open(self, request, data) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/mechanize/_opener.py", line 195, in open response = urlopen(self, req, data) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/mechanize/_urllib2_fork.py", line 352, in _open '_open', req) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/mechanize/_urllib2_fork.py", line 340, in _call_chain result = func(*args) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/mechanize/_urllib2_fork.py", line 1215, in https_open return self.do_open(conn_factory, req) File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/mechanize/_urllib2_fork.py", line 1160, in do_open raise URLError(err) urllib2.URLError: <urlopen error [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:661)>

Take a look at this repo :- https://github.com/bcessa/docker

This guy have made docker integration of some of your tools i suggest you integrate this in your project possibly ?

[?] Would you like to look for hidden parameters? [y/N] y
[+] Heuristics found a potentially valid parameter: q. Priortizing it.
[+] Heuristics found a potentially valid parameter: l. Priortizing it.
[~] Parameters checked: 29/97
[-] Target isn't responding properly.

error 👍
(https://user-images.githubusercontent.com/37764006/41677652-87fb6856-74e6-11e8-97fa-397992932a96.jpeg)
pip install -r requirements.txt

and getting error when try to open the pkg file . try to open with python , python2 , python3 but not opening. it showing module error
(https://user-images.githubusercontent.com/37764006/41677720-c0516502-74e6-11e8-8b8e-8abd7de5828a.jpeg)

Hello,
Congrats for the tool. Its nice.
My request is the support for the URI injections whenever there is no GET or POST traditional parameters.
Whenever the site uses Apache mod_rewrite for example:
From
GET http://site.com/index.php?post=test-post
to
GET http://site.com/index/post/test-post/
So the tool can try to inject here
http://site.com/index/post/test-post/{inject_here}
thanks!

Could you pls consider that add a option to supply some cookies to the program?
Thanks for you sharing this wonderful tool.

The tool can't be used when the get parameter is not needed. for example
url: http://xxxx/index.php
<form method="post" action="/index.php">
-----------------------
payload: http://xxxx/index.php/"><svg/onload=alert(1)>
<form method="post" action="/index.php/"><svg/onload=alert(1)>">
-----------------------

Hey,

There seems to be an error when a WAF is active on a target.

To reproduce the error:

run python xsstrike

enter the url: https://www.myer.com.au/shop/mystore/StoreLocator?storeSearch=d3v

when "[?] A WAF is active on the target. Would you like to delay requests to evade suspicion? [y/N]"
shows up, press y then enter

it'll output

Traceback (most recent call last):
File "xsstrike", line 699, in
input() #This is the true start of the program
File "xsstrike", line 692, in input
initiator(url, GET, POST)
File "xsstrike", line 598, in initiator
fuzzer(url, param_data) #Launches fuzzer aka Ninja
TypeError: fuzzer() takes exactly 6 arguments (2 given)

I noticed that many times when I try to discover parameters, there is a '>' character at the end. Not sure if the parameter name is being parsed incorrectly, or just its representation in GUI:

The HTML looks like this:

Traceback (most recent call last):
File "xsstrike", line 5, in
import mechanize # To make request to webpages
ImportError: No module named mechanize

Hi s0md3v,

I'm just wondering if we can silence this warning?

/usr/local/lib/python2.7/site-packages/fuzzywuzzy/fuzz.py:35: UserWarning: Using slow pure-python SequenceMatcher. Install python-Levenshtein to remove this warning
warnings.warn('Using slow pure-python SequenceMatcher. Install python-Levenshtein to remove this warning')

Traceback (most recent call last):
  File "./xsstrike.py", line 30, in <module>
    from core.photon import photon
  File "/opt/XSStrike/core/photon.py", line 2, in <module>
    import tld
ModuleNotFoundError: No module named 'tld'

after running pip3 install photon everything works

[?] Enter the target URL: http://*****************.com/*******.php
[?] Enter cookie (if any):
[!] The URL you entered seems to use POST Method.
[?] Enter post data: ******=*******&***=d3v&*****=********&*******=****&****=**&******=******

1. Striker
2. Ninja
   Enter your choice: 1

Traceback (most recent call last):
File "./xsstrike", line 1115, in
post_choice() #Printing menu items which supports POST method
File "./xsstrike", line 1064, in post_choice
POST()
File "./xsstrike", line 580, in POST
param_data = param
NameError: global name 'param' is not defined

kali aws

root@kali /h/e/XSStrike# python xsstrike
  File "xsstrike", line 711
    webbrowser.open(cloak)
             ^
SyntaxError: invalid syntax

mac

  File "xsstrike", line 100
    print payload
                ^
SyntaxError: Missing parentheses in call to 'print'

what should i answer in " does is use POST METHOD ? "
and where can i found " POST DATA " ?

thanks

There's a weird error on line 718

[?] Execute project HULK for blind XSS Detection? [Y/n] Traceback (most recent call last):
  File "xsstrike", line 780, in <module>
    input() #This is the true start of the program
  File "xsstrike", line 768, in input
    initiator(url, GET, POST)
  File "xsstrike", line 718, in initiator
    choice = raw_input('%s Execute project HULK for blind XSS Detection? [Y/n] ' % que).lower()
ValueError: I/O operation on closed file

I have no idea how to solve this, also the value of payload on line 721 and 722 is different.
Anyone who would like to help? Comment here or start a pull request.
Thanks in advance.

Hi, Love your work! Can you add more screenshots as the current ones are broken?

Hey @UltimateHackers ,

Thanks for Creating this tool.

i Have a Feature request , It Would be good for more automation . !

How about passing params directly :

python xssstrike.py -get -u URLHERE -level=LEVELNUMBER

whereas:
LEVELNUMBER = 1 = Fuzzer
LEVELNUMBER = 2 = Striker
LEVELNUMBER = 3 = Spider

Need output functionality to store all log or result :
ex:
python xssstrike.py -get -u https://google.com?x=xxx -level=2 -o test.log

I'm Looking forward to contribute to this project and help to add this above 2 features :)

Hi bro, just download the tool but i want to add cookie section which is not working. please provide the soultion.