s0md3v/XSStrike
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Shifted documentation to project website.

Browse Source
This commit is contained in:
Ultimate Hackers
2017-08-03 16:14:22 +05:30
committed by GitHub
parent ee362f4684
commit 1275b28bad
1 changed files with 10 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
README.md
View File

@@ -1,9 +1,9 @@
<p align="middle"><img src='https://i.imgur.com/TKMnPRJ.png' /></p>
<a href="http://teamultimate.in">![Website](https://img.shields.io/website-up-down-green-red/http/shields.io.svg?label=teamultimate.in&style=flat-square)</a> ![Python](https://img.shields.io/badge/Requires-Python2.7-blue.svg) ![Version](https://img.shields.io/badge/Version-1.2-red.svg) ![Bugs](https://img.shields.io/badge/Known--Issues-0-yellow.svg)
<a href="http://xsstrike.tk">![Website](https://img.shields.io/website-up-down-green-red/http/shields.io.svg?label=xsstrike.tk&style=flat-square)</a> ![Python](https://img.shields.io/badge/Requires-Python2.7-blue.svg) ![Version](https://img.shields.io/badge/Version-1.2-red.svg) ![Bugs](https://img.shields.io/badge/Known--Issues-0-yellow.svg)
# XSStrike
XSStrike is a python script designed to detect and exploit XSS vulnerabilites.
XSStrike is a python script designed to detect and exploit XSS vulnerabilites. Visit XSStrike's [project site](http://xsstrike.tk/) for more info.
A list of features XSStrike has to offer:
@@ -17,6 +17,8 @@ A list of features XSStrike has to offer:
- [x] Negligible number of false positives
- [x] Opens the POC in a browser window
<img src='https://i.imgur.com/oWVlUjs.png' />
### Installing XSStrike
Use the following command to download it
```
@@ -34,50 +36,13 @@ Now you are good to go! Run XSStrike with the following command
```
python xsstrike
```
## Using XSStrike
### Using XSStrike
You can enter <b>help</b> in XSStrike's target prompt for basic usages.
![XSStrike 1]( http://teamultimate.in/wp-content/uploads/2017/06/Screenshot-from-2017-06-26-15-12-19.png "Screenshot")
You can view XSStrike's complete documentation [here](http://xsstrike.tk/Documentation/).
You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting "d3v<" in it.
For example: target.com/search.php?q=d3v&category=1
After you enter your target URL, XSStrike will check if the target is protected by a WAF or not.
If its not protected by WAF you will get three options
<b>1. Fuzzer:</b> It checks how the input gets reflected in the webpage and then tries to build a payload according to that.
![XSStrike 2]( http://teamultimate.in/wp-content/uploads/2017/06/Screenshot-from-2017-06-26-15-14-29.png "Screenshot 2")
<b>2. Striker:</b> It bruteforces all the parameters one by one and generates the proof of concept in a browser window.
![XSStrike 3]( http://teamultimate.in/wp-content/uploads/2017/06/Screenshot-from-2017-06-26-15-15-24.png "Screenshot 3")
<b>3. Spider:</b> It extracts all the links present in homepage of the target and checks parameters in them for XSS.
<img src='https://i.imgur.com/2oyYu5j.png' />
<b>4. Hulk:</b> Hulk uses a different approach, it doesn't care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.
![XSStrike 4]( http://teamultimate.in/wp-content/uploads/2017/06/Screenshot-from-2017-06-26-15-16-36.png "Screenshot 4")
XSStrike can also bypass WAFs
![XSStrike 5]( http://teamultimate.in/wp-content/uploads/2017/06/Screenshot-from-2017-06-26-15-17-29.png "Screenshot 5")
XSStrike supports POST method too
![XSStrike 6]( http://teamultimate.in/wp-content/uploads/2017/06/Screenshot-from-2017-06-28-17-51-24.png "Screenshot 6")
You can also supply cookies to XSStrike
<img src='https://i.imgur.com/PwCRUgB.png' />
Unlike other stupid bruteforce programs, XSStrike has a small list of payloads but they are the best one. Most of them are carefully crafted by me.
If you find any bug or have any suggestion to make the program better please let me know on Ultimate Hacker's [facebook page](https://www.facebook.com/weareultimates) or start an issue on XSStrike's Github repository.
### Demo video
<a href="https://youtu.be/8R_5EjIeFe4" target="_blank"><img src="http://teamultimate.in/wp-content/uploads/2017/06/Screenshot-from-2017-06-29-16-59-48.png"
alt="watch xsstrike in action" border="10" /></a>
## Are you a Developer?
If you are a developer and want to use XSStrike's code in your project or want to contribute to XSStrike then you should read the [developer guide](http://xsstrike.tk/For-Developers/).
#### Credits
XSStrike uses code from [BruteXSS](https://github.com/shawarkhanethicalhacker/BruteXSS) and [Intellifuzzer-XSS](https://github.com/matthewdfuller/intellifuzz-xss), <a href="https://github.com/The404Hacking/XsSCan">XsSCan</a>.
XSStrike uses code from [BruteXSS](https://github.com/shawarkhanethicalhacker/BruteXSS), [Intellifuzzer-XSS](https://github.com/matthewdfuller/intellifuzz-xss) and [XsScan](https://github.com/The404Hacking/XsSCan), [WAFNinja](https://github.com/khalilbijjou/WAFNinja/).