Hacking Tutorials

XSStrike : XSS Fuzzer and Smart Bruteforcer

Hello guys! Team Ultimate has created another open source program named XSStrike. XSStrike is a python script for automatic exploitation of XSS vulnerabilities.

Installing XSStrike

First of all download XSStrike from here (Github).
If you are a Linux user then you can simply use the following command to download it

git clone https://github.com/UltimateHackers/XSStrike/

After downloading, navigate to XSStrike directory with the following command

cd XSStrike

Now install the required modules with the following command

pip install -r requirements.txt

Now you are good to go! Run XSStrike with the following command

python xsstrike

Using XSStrike

As soon as you run XSStrike, you will be greeted with this screen

xsstrike by somdev sangwan

You can enter your target URL now but remember, you have to mark the most crucial parameter by inserting d3v in it.

For example: target.com/search.php?q=d3v&category=1

After you enter your target URL, XSStrike will check if the target is protected by a WAF or not.

If its not protected by WAF you will get three options

xsstrike by ultimate hackers

Fuzzer

It checks how the input gets reflected in the webpage and then tries to build a payload according to that.

fuzzing tool for xss

Striker

It bruteforces all the parameters one by one and generates the proof of concept in a browser window.

xss bruteforce script

XSStriker never generates false positives but to assure you, it opens the POC in a browser window like this

xss poc generator

Hulk

Hulk uses a different approach, it doesn’t care about reflection of input. It has a list of polyglots and solid payloads, it just enters them one by one in the target parameter and opens the resulted URL in a browser window.

xsstrike hulk

XSStrike can also detect and bypass Web Application Firewalls (WAFs)

WAF bypass xss script

POST Method

XSStrike supports POST method too

xss in POST method

Unlike other stupid bruteforce programs, XSStrike has a small list of payloads but they are the best one. Most of them are carefully crafted by me.

If you find any bug or have any suggestion to make the program better please let me know on Ultimate Hacker’s facebbok page or post a issue on XSStrike’s Github repository.

Show your support by starring it on Github or commenting below and don’t forget to check our other projects.

Thanks for reading this post till end. Keep Learning! Keep Hacking!

Also Read: Solution of Google’s XSS Challenge [Explained]

About the author

D3V

A n00b hacker and a proud member of Team Ultimate. I am infamous but known as D3V in my circle.

2 Comments

Click here to post a comment




Browse Categories:




Subscribe Now

Get the latest post directly into your inbox.

Thank you for subscribing.

Something went wrong.