Hey Folks, In this tutorial we are going to talk about an interesting tool that can be helpful for us during bug hunting. This tool is specifically designed for beginners who do not discover the vulnerability of cross site scripting in web applications. XSStrike is very powerful tool that tries multiple combinations of payloads to find xss vulnerabilities in web applications.
Lets take a look 🙂 !!
Installation
It is an open source tool hosted on github page and we will download it from github page by using the git tool. After the installation we have to go into the directory for the further process.
1 2 3 | git clone https://github.com/s0md3v/XSStrike.git cd XSStrike ls |
We have to install the pip tool to run this tool.
1 | apt install python3-pip |
Now we can start this tool using python command.
1 | python3 xsstrike.py |
Usage
For the testing purpose we will use the XVWA vulnerable web application. As we know it is an vulnerable web application so we will give the right location of vulnerability and identify does it work or not.
Usage 🙂 python3 xsstrike.py -u
1 | python3 xsstrike.py -u http://192.168.0.114/xvwa/vulnerabilities/reflected_xss/?item= |
We are surprised after getting the result because it has given us many payloads to exploit the vulnerability.
Fuzzer
As we know fuzzing is the automated process of finding hack able software bugs and In this endeavor we are going to use this feature of this tool.
1 | python3 xsstrike.py -u http://192.168.0.114/xvwa/vulnerabilities/reflected_xss/?item= --fuzzer |
Crawl
Crawling is an activity done by people to extract and retrieve the sensetive data from the website but in this case, this feature is created to find vulnerabilities in a website by adding one URL after another.
1 | python3 xsstrike.py -u http://192.168.0.114/xvwa/vulnerabilities/reflected_xss/?item= --crawl |
Conclusion
If you are a beginner then you can use this tool otherwise this tool is not much useful. Because there are many tools available here which are both open source and better.
A keen learner and passionate IT student. He has done Web designing, CCNA, RedHat, Ethical hacking, Network & web penetration testing. Currently, he is completing his graduation and learning about Red teaming, CTF challenges & Blue teaming.