Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/faizann24/xsspy
XssPy - Web Application XSS Scanner
https://github.com/faizann24/xsspy
Last synced: 2 days ago
JSON representation
XssPy - Web Application XSS Scanner
- Host: GitHub
- URL: https://github.com/faizann24/xsspy
- Owner: faizann24
- License: mit
- Created: 2016-03-07T14:06:38.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2023-01-20T23:39:15.000Z (almost 2 years ago)
- Last Synced: 2024-11-03T04:32:40.913Z (11 days ago)
- Language: Python
- Homepage: http://www.fsecurify.com
- Size: 36.1 KB
- Stars: 834
- Watchers: 63
- Forks: 230
- Open Issues: 19
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# XssPy - Web Application XSS Scanner
A tool by FsecurifyAuthor: Faizan Ahmad
https://pk.linkedin.com/in/faizan-ahmad-015964118# Great News: Xsspy was recently used by an engineer at microsoft to find a bug in Pentagon's Bug Bounty Program.
http://holisticinfosec.blogspot.com/2016/06/toolsmith-tidbit-xsspy.html# How to Use:
http://fsecurify.com/xsspy-web-application-xss-scanner/# Installation:
Type the following in the terminal.`git clone https://github.com/faizann24/XssPy/` /opt/xsspy
The tool works on Python 2.7 and you should have mechanize installed. If mechanize is not installed, type "pip install mechanize" in the terminal.
You will also need the mechanize distribution, you can install it with pip:
```pip install mechanize```# Usage:
`python XssPy.py website.com` (Do not write www.website.com OR http://www.website.com)# Docker
Advantage of Docker is that is will run on every machine. You don't need to install Pip packages or use a Venv.
Package versions are pinned. This ensures that XssPy will also run in the future. Regardless which Python-Version you've running on you machine.
## Docker build
```
docker build -t xsspy .
```
## Docker usage
After you build
```
docker run -t xsspy -u website.com
```# Payloads
If you have found a XSS vulnerability, you can try the following payloads.
http://pastebin.com/J1hCfL9J# Description:
XssPy is a python tool for finding Cross Site Scripting vulnerabilities in websites. This tool is the first of its kind. Instead of just checking one page as most of the tools do, this tool traverses the website and find all the links and subdomains first. After that, it starts scanning each and every input on each and every page that it found while its traversal. It uses small yet effective payloads to search for XSS vulnerabilities.The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find. Moreover, most paid tools scan only one site whereas XSSPY first finds a lot of subdomains and then scan all the links altogether. The tool comes with:
1) Short Scanning
2) Comprehensive Scanning
3) Finding subdomains
4) Checking every input on every pageWith this tool, Cross Site Scripting vulnerabilities have been found in the websites of MIT, Stanford, Duke University, Informatica, Formassembly, ActiveCompaign, Volcanicpixels, Oxford, Motorola, Berkeley and many more.
# NOTE:
Mail me if you encounter any errors ([email protected]). You can also post your problems on the website. I'll try my best to respond as soon as possible.Best Regards
Faizan Ahmad
CEO of Fsecurify