├── README.md └── fuzzer.html /README.md: -------------------------------------------------------------------------------- 1 | # XSS Fuzzer 2 | 3 | XSS Fuzzer is a simple application written in plain HTML/JavaScript/CSS which generates XSS payloads based on user-defined vectors using multiple placeholders which are replaced with fuzzing lists. 4 | 5 | It offers the possibility to just generate the payloads as plain-text or to execute them inside an iframe. Inside iframes, it is possible to send GET or POST requests from the browser to arbitrary URLs using generated payloads. 6 | 7 | # Why? 8 | 9 | XSS Fuzzer is a generic tool that can be useful for multiple purposes, including: 10 | 11 | * Finding new XSS vectors, for any browser 12 | * Testing XSS payloads on GET and POST parameters 13 | * Bypassing XSS Auditors in the browser 14 | * Bypassing web application firewalls 15 | * Exploiting HTML whitelist features 16 | 17 | # Example 18 | 19 | In order to fuzz, it is required to create placeholders, for example: 20 | 21 | * The [TAG] placeholder with fuzzing list: img svg. 22 | * The [EVENT] placeholder with fuzzing list: onerror onload. 23 | * The [ATTR] placeholder with fuzzing list: src value. 24 | * The payloads will use the mentioned placeholders, such as: 25 | 26 | ```html 27 | <[TAG] [ATTR]=Something [EVENT]=[SAVE_PAYLOAD] /> 28 | ``` 29 | 30 | The [SAVE_PAYLOAD] placeholder will be replaced with JavaScript code such as alert(unescape('[PAYLOAD]'));. 31 | 32 | This code is triggered when an XSS payload is successfully executed. 33 | 34 | The result for the mentioned fuzzing lists and payload will be the following: 35 | 36 | ```html 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | ``` 46 | 47 | When it is executed in a browser such as Mozilla Firefox, it will alert the executed payloads: 48 | 49 | ```html 50 | 51 | 52 | 53 | ``` 54 | 55 | # Sending requests 56 | 57 | It is possible to use a page vulnerable to XSS for different tests, such as bypasses for the browser XSS Auditor. The page can receive a GET or POST parameter called payload and will just display its unescaped value. 58 | 59 | # Website 60 | 61 | A live version can be found at https://xssfuzzer.com 62 | 63 | # Contact 64 | 65 | The application is in beta state so it might have bugs. If you would like to report a bug or provide a suggestion, you can use the GitHub repository or you can send me an email to contact [a] xssfuzzer.com. 66 | -------------------------------------------------------------------------------- /fuzzer.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | XSS Fuzzer 5 | 6 | 73 | 74 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | 529 | 530 | 531 | 534 | 535 | 536 | 537 | 540 | 543 | 546 | 547 | 548 | 549 | 550 | 553 | 554 | 565 | 566 | 571 | 572 | 573 | 574 | 639 | 640 | 643 | 644 | 645 | 646 | 651 | 652 | 653 |
532 | XSS Fuzzer 533 |
538 | Payloads 539 | 541 | Fuzzing lists 542 | 544 | List 545 |
551 | 552 | 555 |
556 | 558 |

559 | 560 |

561 | Placeholder: 562 | 563 |

564 | 		567 | 568 |

569 | 570 |
575 | 576 | 577 | 578 | 579 | 580 | 587 | 588 | 589 | 590 | 593 | 596 | 597 | 598 | 599 | 602 | 605 | 606 | 607 | 608 | 611 | 614 | 615 | 616 | 617 | 618 | 624 | 625 | 626 | 627 | 628 | 629 | 630 | 631 | 632 | 633 | 634 | 635 | 636 |
Run mode: 581 | 586 |
591 | [SAVE_PAYLOAD]: 592 | 594 | 595 |
637 | 638 | 		641 | 642 |
647 |
Output:
648 |

649 |
650 |
654 | 655 | 656 | 657 | --------------------------------------------------------------------------------