Introducing xsssniper

2011/09/16

I wrote a little app called xsssniper to automatically test XSS injection points in target URLs.

$ python xsssniper.py --url 'X' --payload 'Y' --check 'Z'

What it does is scanning target URL for GET parameters and then inject an XSS payload (Y) into them and parse the response for artefacts of the injection (Z).

The simplest example would be to inject <script type="text/javascript">window.alert('lol')</script> and check for <script type="text/javascript">window.alert('lol')</script>, if we have a match maybe we have just found an XSS.

If no check is specified xssniper will consider payload and check the same.

If no payload is specified as well a special file will be parsed for common payloads (lib/payloads.xml, feel free to contribute!).

Another useful feature is the ability to crawl the target URL for relative links. Every link found is added to the scan queue and processed, so it's easier to test an entire website.

In the end this method is not fool proof but it's a good heuristic to mass find injection points and test escape strategies. Also since there is no browser emulation is your duty to manual test discovered injections against various browser's xss protections.

Here is the usage:

Usage: xsssniper.py [options]

Options:
  -h, --help            show this help message and exit
  -u URL, --url=URL     target URL
  -p PAYLOAD, --payload=PAYLOAD
                        payload to inject. If the payload is not
                        specified standard payloads from lib/payloads.xml
                        will be used
  -c CHECK, --check=CHECK
                        payload artefact to search in response
  --threads=THREADS     number of threads
  --http-proxy=HTTP_PROXY
                        scan behind given proxy (format: 127.0.0.1:80)
  --tor                 scan behind default Tor
  --crawl               crawl target url for other links to test

It's development is still active and I am adding features day after day.

For any suggestion feel free to contact me (mail or twitter) meanwhile check out the repository.

Follow me: @gbrindisi