📖
Pentest Book by n3t_hunt3r
  • XSS Filter Evasion and WAF Bypassing Tactics
  • Cloud Pentesting
  • AWS Security Testing
  • Azure Pentesting
  • GCP Pentesting
  • Web Application Pentesting
    • XSS <Cross Site Scripting>
      • PDF Injection <XSS>
      • DOM XSS
      • Server Side XSS <Dynamic PDF>
      • XSS Tools
    • SSRF <Server Side Request Forgery>
    • Open Redirect Vulnerability
    • Command Injection
    • File Upload
    • Rate Limit Bypass Techniques
    • IDOR
    • Web Cache Poisoning /Web Cache Deception
    • CSRF <Cross Site Request Forgery>
    • XPATH injection
    • LDAP Injection
    • JWT Vulnerabilities <Json Web Tokens>
    • CORS - Misconfigurations & Bypass
    • Reset/Forgotten Password Bypass
    • CRLF (%0D%0A) Injection
    • Clickjacking
    • Hostile Domain/Subdomain takeover
    • Server Side Inclusion/Edge Side Inclusion Injection
    • HTTP Request Smuggling / HTTP Desync Attack
    • SAML Attacks
    • OAuth to Account takeover
    • Cross-site WebSocket hijacking (CSWSH)
    • Uncovering CloudFlare
    • Email Header Injection
    • Unicode Normalization vulnerability
    • Registration Vulnerabilities
    • Race Condition
Powered by GitBook
On this page
  • XSStrike
  • BruteXSS
  • XSSer
  • XSSCrapy
  • DalFOx

Was this helpful?

  1. Web Application Pentesting
  2. XSS <Cross Site Scripting>

XSS Tools

PreviousServer Side XSS <Dynamic PDF>NextSSRF <Server Side Request Forgery>

Last updated 3 years ago

Was this helpful?

XSStrike

git clone https://github.com/s0md3v/XSStrike.git
pip3 install -r XSStrike/requirements.txt

Basic Usage(Get): python3 xsstrike.py --headers -u "" Basic Usage(Post): python xsstrike.py -u "" --data "q=query" Crawling(depth=2 default): python xsstrike.py -u "" --crawl -l 3 Find hidden parameters: python xsstrike.py -u "" --params Extra: --headers #Set custom headers (like cookies). It is necessary to set every time --skip-poc --skip-dom #Skip DOM XSS scanning

BruteXSS

git clone https://github.com/rajeshmajumdar/BruteXSS

Tool to find vulnerable (GET or POST) parameter to XSS using a list of payloads with a GUI. Custom headers (like cookies) can not be configured.

XSSer

Already installed in Kali. Complete tool to find XSS.

Basic Usage(Get):

The tool doesnt send the payload:(

XSSCrapy

git clone https://github.com/DanMcInerney/xsscrapy

Not recommended. A lot of unnecessary output, and it doesn`t work properly.

DalFOx

http://localhost/vulnerabilities/xss\_r/?name=asd
http://example.com/search.php
http://example.com/page.php
http://example.com/page.php
https://github.com/epsylon/xsser
https://github.com/hahwul/dalfox