Do you want a program to scan for XSS vulnerabilities or inject your custom payloads?
If yes then we have a gift for you.
So ladies (do you know any lady hacker? I do) and gentle please welcome XSSight
It is a python script which can scan if a parameter is XSS vulnerable. It can also inject payloads into the parameter. If the any of the payloads gets successful, XSSight steals the cookie which can be used to hijack session (we will learn about that really soon). It does banner grabbing and detects WAF as a bonus. It is a mod of XSSYA.
You can download XSSight from here
When you run the script you will be greeted by XSSight
Enter your target URL and you will get two options:
XSS Scanner: It injects characters like / \ ‘ ” <> and checks the source code of the target webpage to see how the page handles the input and tells us if it is vulnerable to XSS.
Payload Injector: It injects many payloads in the parameter one by one and checks whether they get successful. If a payload gets successful, XSSight grabs the cookie. This option also checks if the target is protect by any WAF like mod_security. You can add your custom payloads in custom.py file.
Now lets enter 1 to use XSS Scanner and in no time we get:
Great! XSSight says the given parameter is vulnerable to XSS.
If you wish to use Payload Injector then its pretty simple and effective:
Now we know what kind of payload works against the target and we also have PHPSESSID of user.
That’s it. I hope you will find it useful.
Well here are some things to consider:
1. This script is in beta phase so it is prone to bugs/errors. If you find a bug in the script please contact us on our facebook page.
2. I am looking forward to add more features to the script so stay tuned.
3. Feel free to add your own payloads to custom.py and comment how can I make XSSight better.
Thanks for reading. Keep XSSing !
Also Read: Nmap Port Scanning Techniques Explained