XSStrike: XSS detection suite
github.comJust a word of caution: Running tools like this from your home IP address is a good way of getting banned from the Internet* by Akamai.
* (yes, yes, you're not banned from the Internet, but you'll be surprised by all the sites you visit that sit behind Akamai)
Some ISPs are relatively easy to get a new IP address on, others are rather difficult, so don't be dumb, use protection: a VPN.
Just don't run it against anything for which you do not have permission to run such tools.
Running a tool like this against your favorite websites, is a simple way of getting banned from your favorite websites.
Even sites that have bug bounties don't turn off their WAF for you. So you can have permission to run some tools against them, but still anger Akamai.
Blocking VPN ip isn't a great contribution to community. Others including you will get that ip later.
Ruin your internet for yourself, if you have to run such tools on public websites. You shouldn't anyway.
Don't run this kind of stuff on somebody's website without prior consent.
Never said to do so. Even with prior consent you'll still get Akamai mad at you.
My point here is was just that this is a somewhat dangerous tool to start just aiming at random websites. Probably a fair amount of people here that don't understand the full ramifications of their actions.
Do I risk getting banned if I only use this against my own websites?
By who?
If you're running out against an Akamai or Cloudfoare reverse proxy in front of your website, then sure. If not, no; they don't have wiretaps.
Couple of years back the amount of captcha I have to solve to visit a site was amazing while using the workplace network. Although the CDN I faced most problems with was CloudFlare.
If you’re going to use this against a site that runs in AWS, make sure to request permission first @ https://aws.amazon.com/security/penetration-testing
Thx for the oss contribution-Looking forward to trying this out
Interestingly, as of last year Azure no longer requires advance notice: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engage...
Having used XSSStrike, I must say it probably is the best public tool for hunting XSS.
Is there a private tool that only those in the know can use?
He might meant public as free/open source. Commercial XSS tools that comes to my mind is https://www.blueclosure.com/ .
The implication is yes.
There are commerical/non-free tools.
(Hoping that the author(s) is (are) here) Thank you for working on and sharing a great tool. I spotted two typos on the main site:
“...payload generator generates patloads which are...” patloads -> payloads.
“...flaunting it's genius backend.” it’s -> its.
Submit a PR, the author will definately see it.
Must be advanced because:
> Throw away your paid tools because this is some God level shit. Now with 4 hand written parsers, an intelligent payload generator, powerful fuzzing engine, DOM scanner, hidden parameter discovery and an incredibly fast crawler. F*cking retweet it!
- https://twitter.com/s0md3v/status/1061255510677057537
> Exactly, that's why you have no idea how it works and all. Well, it took me a month and being a developer of 30+ open source software, this is the first time I am saying this is some God level shit and I mean it.
Why the heck would "four hand written parsers" be a selling point?
Sarcastic?
Not sure testimonials from the dev themselves mean anything.
Does this work on web-pages behind a login?
You can supply your own http headers. So i guess you can send cookies and that things with it.
No support for base64 encoded parameters?
Spelling error on the very first image example: "Cofidence"
I submitted a PR to fix the mistake before I read the comment here.
Great! Thanks for sharing this. Mirrored. https://git.habd.as/comfusion/XSStrike