{"id":29259270,"url":"https://github.com/hackunderway/xss_scanner","last_synced_at":"2025-07-04T06:32:41.871Z","repository":{"id":299548089,"uuid":"1003356433","full_name":"HackUnderway/xss_scanner","owner":"HackUnderway","description":"Herramienta avanzada de escaneo XSS (Cross-Site Scripting) para auditorías de seguridad web, con capacidades de evasión de WAF y generación de reportes completos.","archived":false,"fork":false,"pushed_at":"2025-06-17T04:29:32.000Z","size":1065,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-17T05:27:49.662Z","etag":null,"topics":["payloads","python","tool","waf","xss","xss-scanner"],"latest_commit_sha":null,"homepage":"https://facebook.com/JeyZetaOficial/support","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HackUnderway.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-17T03:03:23.000Z","updated_at":"2025-06-17T04:29:36.000Z","dependencies_parsed_at":"2025-06-17T05:37:59.686Z","dependency_job_id":null,"html_url":"https://github.com/HackUnderway/xss_scanner","commit_stats":null,"previous_names":["hackunderway/xss_scanner"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/HackUnderway/xss_scanner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackUnderway%2Fxss_scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackUnderway%2Fxss_scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackUnderway%2Fxss_scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackUnderway%2Fxss_scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HackUnderway","download_url":"https://codeload.github.com/HackUnderway/xss_scanner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HackUnderway%2Fxss_scanner/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263461265,"owners_count":23470086,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["payloads","python","tool","waf","xss","xss-scanner"],"created_at":"2025-07-04T06:30:34.653Z","updated_at":"2025-07-04T06:32:41.862Z","avatar_url":"https://github.com/HackUnderway.png","language":"Python","funding_links":["https://www.patreon.com/c/HackUnderway","https://www.buymeacoffee.com/HackUnderway","https://img.buymeacoffee.com/button-api/?text=Buy"],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eXSS Scanner Tool 🕵🏽‍♂️\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  Herramienta avanzada de escaneo XSS (Cross-Site Scripting) para auditorías de seguridad web, con capacidades de evasión de WAF y generación de reportes completos.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Python-3.11+-blue.svg\" alt=\"Python version\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/License-MIT-green\" alt=\"LICENCE\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Reportes-PDF%20%7C%20JSON%20%7C%20HTML-green.svg\" alt=\"Formatos de reporte\"\u003e\n\u003c/p\u003e\n\n---\n\n## 🔍 Características principales\n\n- **Detección multifacética**:\n  - XSS reflejado y basado en DOM\n  - Context-aware payloads (identifica el contexto de inyección)\n  - Técnicas avanzadas de evasión de WAFs (Cloudflare, Cloudfront, etc.)\n\n- **Motor inteligente**:\n  - Generación dinámica de payloads\n  - Detección automática de WAFs\n  - Modo headless con Puppeteer/Playwright\n\n- **Reporting profesional**:\n  - Reportes en HTML, PDF y JSON\n  - Explicación detallada de vulnerabilidades\n  - URLs de explotación listas para pruebas.\n\n## 🚀 Casos de uso típicos\n\n1. **Auditorías de seguridad**\n```bash\npython main.py \"https://example.com/search?q=\" -w cloudflare\n```\n2. **Pruebas de penetración**\n```bash\npython main.py \"https://testphp.vulnweb.com/artists.php?artist=\" -v\n```\n3. **Investigación de WAFs:**\n```bash\npython main.py \"https://testphp.vulnweb.com/artists.php?artist=\" -v\n```\n\n## 📌 Requisitos técnicos\n\n- Python 3.11+\n\n- Navegador Chromium/Chrome instalado\n\n- Dependencias: playwright, argparse, pyfiglet\n\n## ⚠️ Consideraciones éticas\n\n#### Esta herramienta debe usarse únicamente en:\n\n- Sitios propios con permiso explícito\n\n- Entornos de pruebas controlados\n\n- Programas de bug bounty con autorización\n\n- El uso no autorizado en sistemas ajenos es ilegal.\n\n---\n## ⚙️ Instalación\n\nClona el repositorio:\n\n```bash\ngit clone https://github.com/HackUnderway/xss_scanner.git\n```\n```bash\ncd xss_scanner\n```\n```bash\npip install -r requirements.txt\n```\n\n#### Instalar navegadores (Chromium)\n```bash\nplaywright install chromium\n```\n#### Verificar instalación\n```bash\npython -c \"from playwright.sync_api import sync_playwright; sync_playwright().start()\"\n```\n#### Ayuda/Guía\n```bash\npython main.py -h\n```\n```bash\n▐▄• ▄ .▄▄ · .▄▄ · \n █▌█▌▪▐█ ▀. ▐█ ▀. \n ·██· ▄▀▀▀█▄▄▀▀▀█▄\n▪▐█·█▌▐█▄▪▐█▐█▄▪▐█\n•▀▀ ▀▀ ▀▀▀▀  ▀▀▀▀\nXSS Scanner Tool v2.0\nby @HackUnderway\n\nFeatures:\n• DOM-based XSS detection                                                                                                 \n• Reflected XSS detection                                                                                                 \n• WAF bypass techniques                                                                                                   \n• Smart payload generation                                                                                                \n• Comprehensive reporting                                                                                                 \n\nusage: main.py [-h] url [-p PAYLOADS] [-v] [-w WAF]\n\n🔎 Advanced XSS Scanner Tool v2.0\n\npositional arguments:\n  target_url            Target URL with injection point (must contain ?param=)\n\noptions:\n  -h, --help            Show this help message and exit\n  -p, --payloads PAYLOADS\n                        Custom payload file to use\n  -v, --visible         Run browser in visible mode\n  -w, --waf {akamai,cloudflare,cloudfront,imperva,incapsula,wordfence,auto}\n                        Specify WAF type or 'auto' for detection\n  --no-smart            Disable smart payload generation\n\nExample usage:\n\n✅ URL MUST CONTAIN INJECTION PARAMETERS:\n\nBasic GET scan: \n    python main.py \"https://portswigger-labs.net/xss/xss.php?x=\"                                                          \n\nSpecify WAF type:                                                                                                         \n    python main.py \"https://portswigger-labs.net/xss/xss.php?x=\" -w cloudflare                                            \n\nVisible browser mode:                                                                                                     \n    python main.py \"https://portswigger-labs.net/xss/xss.php?x=\" -v                                                       \n\nCustom payload file:                                                                                                      \n    python main.py \"https://portswigger-labs.net/xss/xss.php?x=\" -p config/payloads/cloudfront.txt                        \n\n❌ Incorrect examples:                                                                                                    \n    python main.py \"https://portswigger-labs.net\"\n    python main.py \"https://portswigger-labs.net/xss/xss.php?x=test\"\n\nFeatures:\n  • GET method support\n  • Automatic WAF detection\n  • Context-aware payloads\n  • WAF-specific bypass techniques\n  • Smart payload generation\n  • Comprehensive reporting\n\n```\n## 🚀 Uso\n##### Escaneo básico con método GET:\npython main.py \"https://portswigger-labs.net/xss/xss.php?x=\"\n\n##### Especificar el tipo de WAF (Firewall de Aplicaciones Web):\npython main.py \"https://portswigger-labs.net/xss/xss.php?x=\" -w cloudflare\n\n##### Modo visible del navegador:\npython main.py \"https://portswigger-labs.net/xss/xss.php?x=\" -v\n\n##### Archivo personalizado de payloads:\npython main.py \"https://portswigger-labs.net/xss/xss.php?x=\" -p config/payloads/cloudfront.txt\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/xss_scanner.png\" alt=\"Xss_Scanner\" width=\"600\"/\u003e\n  \u003cimg src=\"assets/prueba_xss.png\" alt=\"Prueba_XSS\" width=\"600\"/\u003e\n  \u003cimg src=\"assets/reporte_html.png\" alt=\"Reporte_Html\" width=\"600\"/\u003e\n  \u003cimg src=\"assets/reporte_json.png\" alt=\"Reporte_Json\" width=\"600\"/\u003e\n  \u003cimg src=\"assets/reporte_pdf.png\" alt=\"Reporte_Pdf\" width=\"600\"/\u003e\n\u003c/p\u003e\n\n### Créditos de payloads usados:\n\nhttps://github.com/gprime31/WAF-bypass-xss-payloads\n\nhttps://portswigger.net/web-security/cross-site-scripting/cheat-sheet\n\n### Recursos para ver formatos JSON:\n\nhttps://jsonscope.com/\n\nhttps://jsoncrack.com/editor\n\nhttps://2x2xplz.github.io/json_visualizer/default.htm\n\n\u003e **El proyecto está abierto a colaboradores.**\n\n# DISTRIBUCIONES SOPORTADAS\n|Distribución | Versión verificada | \t¿Soportado? | \tEstado |\n|--------------|--------------------|------|-------|\n|Kali Linux| 2025.1| si| funcionando   |\n|Parrot Security OS| 6.2| si | funcionando   |\n|Windows| 11 | si | funcionando   |\n|BackBox| 9 | si | funcionando   |\n|Arch Linux| 2024.12.01 | si | funcionando   |\n\n# SOPORTE\nPreguntas, errores o sugerencias: info@hackunderway.com\n\n# LICENSE\n- [x] XSS Scanner tiene licencia.\n- [x] Consulta el archivo [LICENSE](https://github.com/HackUnderway/xss_scanner#MIT-1-ov-file) para más información.\n\n# CYBERSECURITY RESEARCHER\n\n* [Victor Bancayan](https://www.offsec.com/bug-bounty-program/) - (**CEO at [Hack Underway](https://www.instagram.com/hackunderway/)**) \n\n## 🔗 ENLACES\n[![PATREON](https://img.shields.io/badge/patreon-000000?style=for-the-badge\u0026logo=Patreon\u0026logoColor=white)](https://www.patreon.com/c/HackUnderway)\n```\nFanpage: https://www.facebook.com/HackUnderway\nX: https://x.com/JeyZetaOficial\nWeb site: https://hackunderway.com\nYoutube: https://www.youtube.com/@JeyZetaOficial\n```\n## 🌞 Suscripciones\nAfíliate:\n\n- [Jey Zeta](https://www.facebook.com/JeyZetaOficial/subscribe/)\n\n[![Kali Linux Badge](https://img.shields.io/badge/Kali%20Linux-1793D1?logo=kalilinux\u0026logoColor=fff\u0026style=plastic)](https://www.kali.org/)\n\nfrom \u003cimg src=\"https://i.imgur.com/ngJCbSI.png\" title=\"Perú\"\u003e made in \u003cimg src=\"https://i.imgur.com/NNfy2o6.png\" title=\"Python\"\u003e with \u003cimg src=\"https://i.imgur.com/S86RzPA.png\" title=\"Love\"\u003e by: \u003cfont color=\"red\"\u003eVictor Bancayan\u003c/font\u003e, if you want Donate \u003ca href=\"https://www.buymeacoffee.com/HackUnderway\"\u003e\u003cimg src=\"https://img.buymeacoffee.com/button-api/?text=Buy me a coffee\u0026emoji=\u0026slug=HackUnderway\u0026button_colour=40DCA5\u0026font_colour=ffffff\u0026font_family=Comic\u0026outline_colour=000000\u0026coffee_colour=FFDD00\" /\u003e\u003c/a\u003e\n\n© 2025\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackunderway%2Fxss_scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackunderway%2Fxss_scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackunderway%2Fxss_scanner/lists"}