• Stars
    star
    828
  • Rank 55,086 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created over 8 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

XssPy - Web Application XSS Scanner

XssPy - Web Application XSS Scanner

A tool by Fsecurify

Author: Faizan Ahmad https://pk.linkedin.com/in/faizan-ahmad-015964118

Great News: Xsspy was recently used by an engineer at microsoft to find a bug in Pentagon's Bug Bounty Program.

http://holisticinfosec.blogspot.com/2016/06/toolsmith-tidbit-xsspy.html

How to Use:

http://fsecurify.com/xsspy-web-application-xss-scanner/

Installation:

Type the following in the terminal.

git clone https://github.com/faizann24/XssPy/ /opt/xsspy

The tool works on Python 2.7 and you should have mechanize installed. If mechanize is not installed, type "pip install mechanize" in the terminal.

You will also need the mechanize distribution, you can install it with pip: pip install mechanize

Usage:

python XssPy.py website.com (Do not write www.website.com OR http://www.website.com)

Docker

Advantage of Docker is that is will run on every machine. You don't need to install Pip packages or use a Venv. Package versions are pinned. This ensures that XssPy will also run in the future. Regardless which Python-Version you've running on you machine.

Docker build

docker build -t xsspy .

Docker usage

After you build

docker run -t xsspy -u website.com

Payloads

If you have found a XSS vulnerability, you can try the following payloads. http://pastebin.com/J1hCfL9J

Description:

XssPy is a python tool for finding Cross Site Scripting vulnerabilities in websites. This tool is the first of its kind. Instead of just checking one page as most of the tools do, this tool traverses the website and find all the links and subdomains first. After that, it starts scanning each and every input on each and every page that it found while its traversal. It uses small yet effective payloads to search for XSS vulnerabilities.

The tool has been tested parallel with paid Vulnerability Scanners and most of the scanners failed to detect the vulnerabilities that the tool was able to find. Moreover, most paid tools scan only one site whereas XSSPY first finds a lot of subdomains and then scan all the links altogether. The tool comes with:

  1. Short Scanning
  2. Comprehensive Scanning
  3. Finding subdomains
  4. Checking every input on every page

With this tool, Cross Site Scripting vulnerabilities have been found in the websites of MIT, Stanford, Duke University, Informatica, Formassembly, ActiveCompaign, Volcanicpixels, Oxford, Motorola, Berkeley and many more.

NOTE:

Mail me if you encounter any errors ([email protected]). You can also post your problems on the website. I'll try my best to respond as soon as possible.

Best Regards Faizan Ahmad CEO of Fsecurify

More Repositories

1

wifi-bruteforcer-fsecurify

Android application to brute force WiFi passwords without requiring a rooted device.
Java
1,192
star
2

Fwaf-Machine-Learning-driven-Web-Application-Firewall

Machine learning driven web application firewall to detect malicious queries with high accuracy.
Python
416
star
3

Resources-for-learning-Hacking

All the resources I could find for learning Ethical Hacking and penetration testing.
302
star
4

Using-machine-learning-to-detect-malicious-URLs

Machine Learning and Security | Using machine learning to detect malicious URLs
Python
261
star
5

phishytics-machine-learning-for-phishing

Machine Learning for Phishing Website Detection
HTML
50
star
6

Machine-Learning-based-Password-Strength-Classification

Using machine learning to classify passwords in easy, medium and strong category.
Python
27
star
7

Using-Ordered-Markov-Chains-and-User-Information-to-Speed-up-Password-Cracking

Using Ordered Markov Chains and User Information to Speed up Password Cracking
27
star
8

Intro-to-Machine-Learning

Introductory resources for machine learning
16
star
9

Cyber-Security-Courses-by-Different-Universities

A list of computer security courses by different universities.
15
star
10

toxnic

No more hateful content on the internet!
JavaScript
8
star
11

fbot-bot-that-teaches-hacking-and-security

A chat bot that teaches you stuff about hacking and security.
Python
8
star
12

faizann24.github.io

CSS
6
star
13

Authorship-Attribution

Authorship Attribution with Machine Learning
Python
6
star
14

Fnews-Automatic-retrieval-of-latest-hacking-news-and-tweets

Automatic retrieval of latest hacking news and tweets
Python
4
star
15

Twitter-Sentiment-Analysis-using-1d-Convolutional-Neural-Networks

Twitter Sentiment Analysis using 1d Convolutional Neural Networks
Python
4
star
16

Predicting-Scores-Wickets-and-Results-of-Cricket-Matches-using-Machine-Learning

Predicting Scores, Wickets and Results of Cricket Matches using Machine Learning
3
star
17

Computer-Science-Topics-and-their-Practical-Applications

Even wonder about the practical applications of all the CS stuff we study? You no longer have to. This repository presents many practical applications of computer science subjects and topics.
2
star
18

ifttt-recipe-dataset

1
star
19

Predicting-Projected-Scores-at-any-point-in-a-cricket-match-using-Machine-Learning

Predicting Projected Scores at any point in a cricket match using Machine Learning
1
star