diff --git a/README.md b/README.md index 9c48f4d..5cafe80 100644 --- a/README.md +++ b/README.md @@ -44,16 +44,17 @@ Here are some examples of the payloads generated by XSStrike: Apart from that, XSStrike has crawling, fuzzing, parameter discovery, WAF detection capabilities as well. It also scans for DOM XSS vulnerabilities. ### Main Features -- Reflected and DOM XSS Scanning +- Reflected and DOM XSS scanning - Multi-threaded crawling - Context analysis -- Configurable Core -- Highly Researched Work-flow +- Configurable core - WAF detection & evasion +- Intelligent payload generator - Handmade HTML & JavaScript parser - Powerful fuzzing engine -- Intelligent payload generator -- Complete HTTP Support +- Blind XSS support +- Highly researched work-flow +- Complete HTTP support - Bruteforce payloads from a file - Powered by [Photon](https://github.com/s0md3v/Photon), [Zetanize](https://github.com/s0md3v/zetanize) and [Arjun](https://github.com/s0md3v/Arjun) - Payload Encoding diff --git a/core/config.py b/core/config.py index ff914f0..f0b7011 100644 --- a/core/config.py +++ b/core/config.py @@ -1,6 +1,7 @@ -changes = '''verbose toggle;bruteforcer from a file;bug fixes;payload encoding''' +changes = '''blind xss support''' defaultEditor = 'nano' +blindPayload = '' # your blind XSS payload xsschecker = 'v3dm0s' # A non malicious string to check for reflections and stuff minEfficiency = 90 diff --git a/xsstrike.py b/xsstrike.py index 50f68ea..1bba848 100644 --- a/xsstrike.py +++ b/xsstrike.py @@ -12,7 +12,7 @@ print('''%s try: from urllib.parse import quote_plus, unquote, urlparse except ImportError: # throws error in python2 - print ('%s XSStrike isn\'t compatible with python2.' % bad) + print ('%s XSStrike isn\'t compatible with python2.\n Use python > 3.4 to run XSStrike.' % bad) quit() # Let's import whatever we need @@ -38,7 +38,7 @@ from core.requester import requester from core.htmlParser import htmlParser from core.wafDetector import wafDetector from core.filterChecker import filterChecker -from core.config import xsschecker, minEfficiency +from core.config import xsschecker, minEfficiency, blindPayload from core.utils import getUrl, getParams, flattenParams, extractHeaders, verboseOutput # Processing command line arguments @@ -59,6 +59,7 @@ parser.add_argument('-d', '--delay', help='delay between requests', dest='delay' parser.add_argument('--skip', help='don\'t ask to continue', dest='skip', action='store_true') parser.add_argument('--skip-dom', help='skip dom checking', dest='skipDOM', action='store_true') parser.add_argument('-v', '--vectors', help='verbose output', dest='verbose', action='store_true') +parser.add_argument('--blind', help='inject blind XSS payload while crawling', dest='blindXSS', action='store_true') args = parser.parse_args() if args.headers: @@ -74,6 +75,7 @@ paramData = args.data verbose = args.verbose skipDOM = args.skipDOM level = args.level or 2 +blindXSS = args.blindXSS delay = args.delay or core.config.delay timeout = args.timeout or core.config.timeout threadCount = args.threads or core.config.threadCount @@ -206,7 +208,7 @@ def singleTarget(target, paramData, verbose, encoding): print ('%s Efficiency: %i' % (info, bestEfficiency)) print ('%s Confidence: %i' % (info, confidence)) -def multiTargets(scheme, host, main_url, form, domURL, verbose): +def multiTargets(scheme, host, main_url, form, domURL, verbose, blindXSS, blindPayload): signatures = set() if domURL and not skipDOM: response = requests.get(domURL).text @@ -256,6 +258,9 @@ def multiTargets(scheme, host, main_url, form, domURL, verbose): break except IndexError: pass + if blindXSS and blindPayload: + paramsCopy[paramName] = blindPayload + requester(url, paramsCopy, headers, GET, delay, timeout) def bruteforcer(target, paramData, payloadList, verbose, encoding): @@ -303,7 +308,7 @@ else: for i in range(difference): domURLs.append(0) threadpool = concurrent.futures.ThreadPoolExecutor(max_workers=threadCount) - futures = (threadpool.submit(multiTargets, scheme, host, main_url, form, domURL, verbose) for form, domURL in zip(forms, domURLs)) + futures = (threadpool.submit(multiTargets, scheme, host, main_url, form, domURL, verbose, blindXSS, blindPayload) for form, domURL in zip(forms, domURLs)) for i, _ in enumerate(concurrent.futures.as_completed(futures)): if i + 1 == len(forms) or (i + 1) % threadCount == 0: print('%s Progress: %i/%i' % (info, i + 1, len(forms)), end='\r')