├── pictures ├── loading.gif ├── logo2.png ├── succeeded.png ├── warning2.ico ├── background.jpg └── xss_scanner_pic.png ├── package.json ├── scanner.html ├── index.js ├── README.md ├── scanner.css └── server.js /pictures/loading.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EliNaduyev/XSS-Scanner/HEAD/pictures/loading.gif -------------------------------------------------------------------------------- /pictures/logo2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EliNaduyev/XSS-Scanner/HEAD/pictures/logo2.png -------------------------------------------------------------------------------- /pictures/succeeded.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EliNaduyev/XSS-Scanner/HEAD/pictures/succeeded.png -------------------------------------------------------------------------------- /pictures/warning2.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EliNaduyev/XSS-Scanner/HEAD/pictures/warning2.ico -------------------------------------------------------------------------------- /pictures/background.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EliNaduyev/XSS-Scanner/HEAD/pictures/background.jpg -------------------------------------------------------------------------------- /pictures/xss_scanner_pic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/EliNaduyev/XSS-Scanner/HEAD/pictures/xss_scanner_pic.png -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "pup-2", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "evil3.js", 6 | "scripts": { 7 | "test": "echo \"Error: no test specified\" && exit 1", 8 | "start": "nodemon server.js" 9 | }, 10 | "keywords": [], 11 | "author": "", 12 | "license": "ISC", 13 | "dependencies": { 14 | "express": "^4.17.1", 15 | "nodemon": "^2.0.2", 16 | "puppeteer": "^2.0.0", 17 | "query-string": "^6.10.1" 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /scanner.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | XSS Scanner 13 | 14 | 15 |

16 | 17 |

18 |

19 |

XSS Scanner

20 | Please Enter URL to scan: 21 | 22 |
23 | 24 | 25 |

26 |

27 |

28 |

29 |

30 | 31 | 32 | -------------------------------------------------------------------------------- /index.js: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | document.getElementById('btn').addEventListener('click', ()=>{ 5 | document.getElementById('loading-icon').style.display='block' 6 | let url2 = document.getElementById('scanner-input').value 7 | axios({ 8 | method:'get', 9 | url:'http://localhost:4000/scanner', 10 | params: { 11 | url: url2 12 | } 13 | }) .then(res => { 14 | 15 | console.log(res.data) 16 | divRes = document.getElementById('result') 17 | if (res.data === true){ 18 | document.getElementById('loading-icon').style.display='none' 19 | divRes.innerHTML = 'The Website have XSS Vulnerability'+ 20 | ' image not found

' 21 | } 22 | else if(res.data === false){ 23 | document.getElementById('loading-icon').style.display='none' 24 | divRes.innerHTML = 'The website is safe'+ 25 | ' image not found

' 26 | } 27 | else{ 28 | document.getElementById('loading-icon').style.display='none' 29 | divRes.innerHTML = '

Sorry for the inconvenience the scanner cant complete the scaning due to Error

'+ 30 | `

Error: ${res.data}

` 31 | } 32 | }) 33 | }) 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # XSS Scanner 2 | 3 | Cross-Site Scripting (XSS) is one of the most well known web application vulnerabilities. It even has a dedicated chapter in the OWASP Top 10 project and it is a highly chased vulnerability in bug bounty programs. 4 | 5 | The scanner gets a link from the user and scan the website for XSS vulnerability by injecting malicious scripts at the input place. The injection happens in headless browser named Chromium and controlled by Puppeteer automation. 6 | 7 | It works in two steps: 8 | 1. Find the target: In this first step, the tool tries to identify all the places at the page including injectable parameters in forms, URLs, headers, etc. 9 | 2. Test for XSS: For each place discovered in the previous step, the scanner will try to detect if the parameters are vulnerable to Cross-Site Scripting. The tool injects a piece of JavaScript code, including some special HTML characters (>, <, ", ') and it will try to see if they are returned in the response page without sanitization. 10 | If the tool detects at least one vulnerability, it will return that the website have XSS vulnerability. 11 | 12 | ### Technologies 13 | * Puppeteer 14 | * Javascript 15 | * NodeJS 16 | * Express 17 | 18 | 19 | ### Prerequisites 20 | 21 | For able to be run the scanner you need to have NodeJS installed on your computer and the browser need to include **Cors extension** 22 | If both of these things are installed, all you have to do in the terminal is: 23 | 24 | ``` 25 | npm install 26 | ``` 27 | and after that just for run the server you need: 28 | 29 | ``` 30 | npm start 31 | ``` 32 | After server is running just open the scanner.html file 33 | 34 | ![](pictures/xss_scanner_pic.png) 35 | -------------------------------------------------------------------------------- /scanner.css: -------------------------------------------------------------------------------- 1 | *{ 2 | padding: 0; 3 | margin: 0; 4 | box-sizing: border-box; 5 | font-family: 'Vollkorn', serif; 6 | } 7 | 8 | .container{ 9 | height: 750px ; 10 | background-image: linear-gradient(rgba(0, 0, 0, 0.3), rgba(0, 0, 0, 0.3)), 11 | url("./pictures/background.jpg"); 12 | background-position: center; 13 | background-repeat: no-repeat; 14 | background-size: cover; 15 | } 16 | 17 | .scanner{ 18 | height: 500px; 19 | width: 500px; 20 | top: 50%; 21 | left: 50%; 22 | position: absolute; 23 | transform: translate(-50%,-45%); 24 | border:1px solid rgb(124, 124, 124); 25 | padding: 10px; 26 | background-color: rgb(194, 192, 192); 27 | border-radius: 5px; 28 | opacity: 0.9; 29 | box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.6), 0 6px 20px 0 rgba(0, 0, 0, 0.6); 30 | 31 | } 32 | 33 | .scanner h1{ 34 | margin-top: 50px; 35 | text-align: center; 36 | margin-bottom: 10px; 37 | } 38 | 39 | .scanner input{ 40 | height: 30px; 41 | width: 230px; 42 | border-radius: 3px; 43 | border:none; 44 | border-bottom: 1px solid rgb(156, 156, 156); 45 | margin-top: 20px; 46 | padding: 5px; 47 | margin-left: 5px; 48 | } 49 | 50 | .scanner label{ 51 | font-size: 20px; 52 | } 53 | 54 | 55 | 56 | #btn{ 57 | height: 35px; 58 | width: 150px; 59 | border-radius: 5px; 60 | border:none; 61 | background-color: rgb(59, 59, 59); 62 | margin-top: 30px; 63 | color: white; 64 | margin-left: 150px; 65 | font-size: 16px; 66 | letter-spacing: 1px; 67 | 68 | } 69 | 70 | #btn:hover{ 71 | cursor: pointer; 72 | transition: 0.3s; 73 | background-color: rgb(88, 88, 88); 74 | color: rgb(219, 69, 69); 75 | } 76 | 77 | 78 | .avatar{ 79 | width: 120px; 80 | height: 120px; 81 | border-radius: 50%; 82 | position: absolute; 83 | top: -59px; 84 | left: calc(47% - 50px); 85 | } 86 | 87 | #result{ 88 | height: 200px; 89 | width: 340px; 90 | margin-top: 30px; 91 | margin-left:60px; 92 | padding: 10px; 93 | 94 | } 95 | 96 | #warning{ 97 | margin-left:120px; 98 | margin-top: 20px; 99 | } 100 | 101 | #succeeded{ 102 | margin-left:120px; 103 | margin-top: 20px; 104 | } 105 | 106 | .error{ 107 | padding: 10px; 108 | margin-bottom: 5px; 109 | font-size: 17px; 110 | } 111 | .red{ 112 | display: block; 113 | color: red; 114 | font-size: 20px; 115 | } 116 | .green{ 117 | margin-left: 70px; 118 | display: block; 119 | color: green; 120 | font-size: 20px; 121 | } 122 | 123 | #loading-icon{ 124 | height: 200px; 125 | width: 300px; 126 | margin-left: 10px; 127 | display: none; 128 | } -------------------------------------------------------------------------------- /server.js: -------------------------------------------------------------------------------- 1 | const http = require('http'); 2 | const express = require('express'); 3 | const bodyParser = require('body-parser'); 4 | const queryString = require('query-string'); 5 | const puppeteer = require('puppeteer'); 6 | 7 | const app = express(); 8 | const server = http.createServer(app); 9 | app.use(bodyParser.urlencoded({ extended: true })); 10 | 11 | 12 | 13 | 14 | app.get('/scanner', async(req,res)=>{ 15 | let globalURL = req.query.url 16 | console.log('get request') 17 | let hasXSS = await check_xss(globalURL) 18 | res.send(hasXSS) 19 | }) 20 | 21 | const MALICIOUS_SCRIPT=['', 22 | '

', 23 | "')%3Balert(1)%3Bvar b=('", 24 | '', 25 | '', 26 | '

' 27 | ] 28 | 29 | async function check_xss(url) { 30 | const browser = await puppeteer.launch({ headless: false,defaultViewport: null, args: ['--start-maximized'] }) 31 | const page = await browser.newPage(); 32 | await page.goto(url,{waitUntil: "networkidle2"}); 33 | const formsArray = await page.$$('form'); 34 | const page2 = await browser.newPage(); 35 | let isVulnerable = false; 36 | page2.on('dialog', async dialog => { 37 | isVulnerable=true; 38 | dialog.accept(); 39 | }); 40 | for (script in MALICIOUS_SCRIPT){ 41 | let newUrl= check_url(url,MALICIOUS_SCRIPT[script]); 42 | if (newUrl != ''){await page2.goto(newUrl);} 43 | if (isVulnerable) { 44 | browser.close(); 45 | return true; 46 | } 47 | for (i in formsArray){ 48 | try { 49 | await page2.goto(url, {waitUntil: "networkidle2",timeout: 60000}) 50 | let inputsArray = await formsArray[i].$$eval('input[type="text"],input[type="search"],input:not([type]),textarea', inputs => inputs.map(input => input.id ? '#'+input.id : '.' + input.className)); 51 | for(input in inputsArray){ 52 | let selector = inputsArray[input]; 53 | if(selector.charAt(0)=='.'){selector = selector.split(" ")}; 54 | await page2.type(selector,MALICIOUS_SCRIPT[script],{delay: 20}); 55 | } 56 | let btnsArray=await formsArray[i].$$eval('input[type="submit"],button[type="submit"]', subs => subs.map(sub => sub.id ? '#'+sub.id : '.'+sub.className)); 57 | let btn=btnsArray[0].split(" "); 58 | await page2.click(btn); 59 | newUrl= check_url(page2.url(),MALICIOUS_SCRIPT[script]); 60 | if (newUrl != ''){await page2.goto(newUrl);} 61 | } catch (error) { 62 | browser.close(); 63 | return error.message; 64 | } 65 | } 66 | await new Promise(resolve => setTimeout(resolve, 2000)); 67 | if (isVulnerable) { 68 | browser.close(); 69 | return true; 70 | } 71 | } 72 | browser.close(); 73 | await new Promise(resolve => setTimeout(resolve, 2000)); 74 | if (!isVulnerable){return false;} 75 | else {return true;} 76 | } 77 | 78 | const check_url = (url,script)=> { 79 | let temp={}; 80 | let newUrl=''; 81 | temp = url.split('?'); 82 | let tmp= queryString.parse(temp[1]) 83 | let key=Object.keys(tmp); 84 | if (temp[1]){ 85 | newUrl= temp[0] + '?'; 86 | for (let k in tmp){ 87 | if(key[0]===k){ newUrl= newUrl + k + '=' + script; } 88 | else { newUrl= newUrl+ '&'+ k + '=' + script; } 89 | } 90 | } 91 | return newUrl 92 | } 93 | 94 | 95 | server.listen(process.env.PORT || 4000, () => 96 | console.log(`Server has started.`)); 97 | 98 | // https://xss-game.appspot.com/level1/frame 99 | // https://xss-game.appspot.com/level2/frame 100 | // https://xss-game.appspot.com/level4/frame 101 | // https://www.wikipedia.org 102 | // https://gibiru.com/ --------------------------------------------------------------------------------