I wrote a little app called xsssniper to automatically test XSS injection points in target URLs.
$ python xsssniper.py --url 'X' --payload 'Y' --check 'Z'
What it does is scanning target URL for GET parameters and then inject an XSS payload (Y) into them and parse the response for artefacts of the injection (Z).
The simplest example would be to inject
<script type="text/javascript">window.alert('lol')</script> and check for
<script type="text/javascript">window.alert('lol')</script>, if we have a match maybe we have
just found an XSS.
If no check is specified xssniper will consider payload and check the same.
If no payload is specified as well a special file will be parsed for common
payloads (lib/payloads.xml, feel free to contribute!).
Another useful feature is the ability to crawl the target URL for relative links. Every link found is added to the scan queue and processed, so it's easier to test an entire website.
In the end this method is not fool proof but it's a good heuristic to mass find injection points and test escape strategies. Also since there is no browser emulation is your duty to manual test discovered injections against various browser's xss protections.
Here is the usage:
Usage: xsssniper.py [options]
Options:
-h, --help show this help message and exit
-u URL, --url=URL target URL
-p PAYLOAD, --payload=PAYLOAD
payload to inject. If the payload is not
specified standard payloads from lib/payloads.xml
will be used
-c CHECK, --check=CHECK
payload artefact to search in response
--threads=THREADS number of threads
--http-proxy=HTTP_PROXY
scan behind given proxy (format: 127.0.0.1:80)
--tor scan behind default Tor
--crawl crawl target url for other links to test
It's development is still active and I am adding features day after day.
For any suggestion feel free to contact me (mail or twitter) meanwhile check out the repository.