I wrote a little app called xsssniper to automatically test XSS injection points in target URLs.
$ python xsssniper.py --url 'X' --payload 'Y' --check 'Z'
What it does is scanning target URL for GET parameters and then inject an XSS payload (Y) into them and parse the response for artefacts of the injection (Z).
The simplest example would be to inject
just found an XSS.
If no check is specified xssniper will consider payload and check the same.
If no payload is specified as well a special file will be parsed for common
lib/payloads.xml, feel free to contribute!).
Another useful feature is the ability to crawl the target URL for relative links. Every link found is added to the scan queue and processed, so it's easier to test an entire website.
In the end this method is not fool proof but it's a good heuristic to mass find injection points and test escape strategies. Also since there is no browser emulation is your duty to manual test discovered injections against various browser's xss protections.
Here is the usage:
Usage: xsssniper.py [options] Options: -h, --help show this help message and exit -u URL, --url=URL target URL -p PAYLOAD, --payload=PAYLOAD payload to inject. If the payload is not specified standard payloads from lib/payloads.xml will be used -c CHECK, --check=CHECK payload artefact to search in response --threads=THREADS number of threads --http-proxy=HTTP_PROXY scan behind given proxy (format: 127.0.0.1:80) --tor scan behind default Tor --crawl crawl target url for other links to test
It's development is still active and I am adding features day after day.