Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/christophe77/ssxss

XSS scanner using puppeteer with nodeJS
https://github.com/christophe77/ssxss

express javascript puppeteer xss xss-detection

Last synced: about 1 month ago
JSON representation

XSS scanner using puppeteer with nodeJS

Host: GitHub
URL: https://github.com/christophe77/ssxss
Owner: christophe77
License: mit
Created: 2022-01-27T14:21:53.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2022-02-01T12:46:59.000Z (almost 3 years ago)
Last Synced: 2024-10-24T22:18:20.694Z (3 months ago)
Topics: express, javascript, puppeteer, xss, xss-detection
Language: JavaScript
Homepage:
Size: 159 KB
Stars: 0
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# ssXss

XSS scanner using pupetteer with nodeJS

## Install

Clone the project and install the dependencies :

git clone https://github.com/christophe77/ssXss
cd ssXss
yarn install

## How to use

### From command line

Edit _/src/index.js_ file and fill _url_ constant with the url you want to scan.

You can also edit the default options.

I suggest you not to change the timeout values, they are a good compromise between speed and accuracy.

If you want to scan and check all inputs inside all forms of the url, set _scanType: forms_

If you want to check some specific inputs, set _scanType: inputs_

If you want to test all payloads after an url parameter, set _scanType: urlParam_

If you want to store the results inside a json file, set _result: file_

If you want to receive the results in json stream, set _result: stream_

Use ssXss.scanForms(url, options) for full page scanning.

Create a selector object if you want to scan specific inputs :

const selectors = {
inputs: ['input[name="email"]', 'input[name="username"]'],
submit: 'input[type="submit"]',
};

You can now start scanning.

yarn start:cmd

### From express

Edit _/src/express/index.js_ file and set the port that you want.

yarn start:web

## Customization

You can add more xss payloads in _/scanner/payloads.js_ file.

Payload must execute console.log("ssxss") or alert("ssxss") and user action can be none or "onmouseover".

## Future

The current version of ssXss is working well but it needs improvements :

- Improve speed.
- Improve DOM analysis to go deeper.
- Make npm package.

## Contribution

Any contribution is accepted.

## Bugs

If you find any bugs, please feel an issue report.

If you have a website with an XSS vulnerability that is not discovered by ssXss you can contact me.

## Demo

[http://165.227.229.84:6969/](http://165.227.229.84:6969/)