{"id":13542243,"url":"https://github.com/bugbountyforum/XSS-Radar","last_synced_at":"2025-04-02T09:33:27.095Z","repository":{"id":70985701,"uuid":"93783073","full_name":"bugbountyforum/XSS-Radar","owner":"bugbountyforum","description":null,"archived":false,"fork":false,"pushed_at":"2018-01-08T21:17:44.000Z","size":219,"stargazers_count":318,"open_issues_count":9,"forks_count":48,"subscribers_count":22,"default_branch":"master","last_synced_at":"2024-11-03T07:33:13.379Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bugbountyforum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-06-08T19:08:35.000Z","updated_at":"2024-10-16T08:06:31.000Z","dependencies_parsed_at":"2023-03-11T09:37:58.148Z","dependency_job_id":null,"html_url":"https://github.com/bugbountyforum/XSS-Radar","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugbountyforum%2FXSS-Radar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugbountyforum%2FXSS-Radar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugbountyforum%2FXSS-Radar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bugbountyforum%2FXSS-Radar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bugbountyforum","download_url":"https://codeload.github.com/bugbountyforum/XSS-Radar/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246789290,"owners_count":20834267,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T10:01:03.386Z","updated_at":"2025-04-02T09:33:26.542Z","avatar_url":"https://github.com/bugbountyforum.png","language":"JavaScript","readme":"\u003cdiv align=\"center\"\u003e\n\u003cimg align=\"center\" src=\"https://user-images.githubusercontent.com/4115778/27097021-d8f2a73e-506a-11e7-8dd2-0ec615322516.png\" height=\"200\"\u003e\u003c/img\u003e\n\u003c/div\u003e\n\u003cdiv align=\"center\"\u003e\n\u003cb\u003eCross-site scripting discovery\u003c/b\u003e\n\u003cbr/\u003e\nA Chrome extension for fast and easy XSS fuzzing\n\u003cbr/\u003e\n\u003cbr/\u003e\n\n[![GitHub issues](https://img.shields.io/github/issues/bugbountyforum/XSS-Radar.svg?style=flat-square)](https://github.com/bugbountyforum/XSS-Radar/issues)\n[![Twitter](https://img.shields.io/twitter/url/https/github.com/bugbountyforum/XSS-Radar.svg?style=social)](https://twitter.com/intent/tweet?text=XSS%20Radar:%20https://github.com/bugbountyforum/XSS-Radar\u0026url=https://github.com/bugbountyforum/XSS-Radar%5Bobject%20Object%5D)\n\u003c/div\u003e\n\u003chr/\u003e\n\u003cdiv align=\"center\"\u003e\nXSS Radar is a tool that detects parameters and fuzzes them for \u003ca href=\"https://github.com/bugbountyforum/XSS-Radar/wiki/What-is-cross-site-scripting%3F\"\u003ecross-site scripting\u003c/a\u003e vulnerabilities.\u003cbr/\u003eIt's also the first tool developed by the \u003ca href=\"https://bugbountyforum.com\"\u003eBug Bounty Forum\u003c/a\u003e community! \n\u003c/div\u003e\n\n## How do I install it?\nAt present, we're only supporting the widely used **Google Chrome**. XSS Radar takes the form of a browser extension, so we hope to support Firefox in the future.\n\n1. First, `git clone https://github.com/bugbountyforum/XSS-Radar`\n2. Visit `chrome://extensions/`\n3. Enable Developer Mode via the checkbox\n4. Select \"Load Unpacked Extension\"\n5. Finally, locate and select the inner `extension` folder\n\n## How do I use it?\nVisit a target page, open the extension and select **Fuzz!**\n\n\u003cimg src=\"https://user-images.githubusercontent.com/4115778/27141364-df47a638-511f-11e7-8838-968e496a0d0f.png\" alt=\"Screenshot of extension Fuzz window\" height=\"450\"/\u003e\n\n### Contexts and tests\nWe've developed contexts – and their respective tests – in a fully modular fashion. By doing so, we've made it easy to contribute new methodologies to Radar's Scanner module.\n\n**Contexts** are found in `contexts.js` (inside `extension/src/payloads/`). Upon fuzzing, the Scanner searches for applicable contexts on the target and deploys the right payloads. For instance, link-based XSS bugs often rely on injection within the `href` attribute, so we've added a context which specifically matches against these:\n\n```\n{\n    'type': 'a', // link/anchor type\n    'matches': ['href'], // URI attribute\n    'file': 'link.js' // payload file\n}\n```\n\n**Tests** are found within the `playground` subdirectory. The XSS Playground contains a variety of cross-site scripting scenarios designed to support development and ensure Radar's effectiveness. At present, we test for classic vectors, JavaScript injection, tag breakouts, and templating vulnerabilities.\n\n### Payloads\nWe've integrated the following reflected payload classes. These can be found in \u003ca href=\"https://github.com/bugbountyforum/XSS-Radar/tree/master/extension/src/payloads\"\u003eextension/src/payloads\u003c/a\u003e.\n\n* AngularJS [template injection](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html)\n    * All versions with a vulnerable Expression Sandbox are supported\n* Link-based URIs\n* Script injections \n* Generic tag strings\n\n## Contributors\nXSS Radar is a Bug Bounty Forum project with the following contributors. It's community-driven, and we truly appreciate your [contributions](https://github.com/bugbountyforum/XSS-Radar/blob/master/CONTRIBUTING.md)!\n\n* Ibram Marzouk\n* Anshuman Bhartiya\n* Rafal Janicki\n* Jack Cable\n* Filipe Reis\n* gradius\n* Olivier beg\n* Yasin Soliman\n\n\u003chr/\u003e\n\n## FAQ\n\n### Can I use my own payloads?\n\nYes, you can add your own payloads in [extension/src/payloads](https://github.com/bugbountyforum/XSS-Radar/tree/master/extension/src/payloads).\n\n### What types of XSS does XSS Radar detect?\n\nXSS Radar detects reflected XSS. Self-XSS, DOM based XSS and stored XSS cannot be detected with this extension.\n","funding_links":[],"categories":["Exploitation","JavaScript","JavaScript (485)"],"sub_categories":["XSS Injection"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbugbountyforum%2FXSS-Radar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbugbountyforum%2FXSS-Radar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbugbountyforum%2FXSS-Radar/lists"}