search

s0md3v / XSStrike

Most advanced XSS scanner.
GNU General Public License v3.0
13.35k stars 1.9k forks source link

Please add ability to detect XSS #414

Open reevesy1 opened 2 months ago

reevesy1 commented 2 months ago

I'm assuming this tool isn't maintained anymore or decided to target some other vuln other than XSS, which would make the its name kind of unfortunate. That or somethings gone wrong with mine as it couldn't find water if it fell out of a boat. I even gave it the link to vulnerable DVWA page that i even left a working payload in it and it still can't find an XSS. Surely i'm doing something wrong here. python3 xsstrike.py -u http://10.6.6.100/vulnerabilities/xss_r/?name=


[~] Checking for DOM vulnerabilities 
[+] WAF Status: Offline 
[!] Testing parameter: name 
[-] No reflection found 

        XSStrike v3.1.5                                                                                                 

[~] Checking for DOM vulnerabilities 
[-] No parameters to test. 
[~] Checking for DOM vulnerabilities 
[~] Checking for DOM vulnerabilities 
[+] WAF Status: Offline 
[+] WAF Status: Offline 
[!] Testing parameter: name 
[!] Testing parameter: name 
[-] No reflection found 
[-] No reflection found

image 2024-09-09_11-42

TitoSantana609 commented 1 month ago

It helps if you add the URL in a string like this:

python3 xsstrike.py -u "http://10.6.6.100/vulnerabilities/xss_r/?name=test"

Ive had way more success with this when enclosing the URL in quotes than if I didn't do it.

sitsrimts commented 1 week ago

even if it does find something, it just parses out some nonsense payloads with maximum confidence, like: [+] Payload: <hTmL/+/ONPointEreNTEr%0a=%0aconfirm()%0dx// [!] Efficiency: 92 [!] Confidence: 10 and they never work.