Menu
▾
▴
XSSploit-en
XSSploit
Phase(s):
Primary: Discovery.
Secondary: N/A.
Description:
Tool specialized in detecting Cross Site Scripting vulnerabilities. Additionally, it generates the required payload to exploit the detected vulnerabilities.
Objective:
- Detect Cross Site Scripting vulnerabilities and prepare them for their exploitation.
Features:
Supported technologies: Web applications (HTTP/HTTPS).
Operative mode: Active.
Detect Cross Site Scripting vulnerabilities and prepare them for their exploitation.
- Provides a URL and Form list of the web application through a spidering module.
- Fixed analysis on the Forms “text” inputs detected from the spidering searching for Cross Site Scripting vulnerabilities.
- Provides a list of detected vulnerabilities based on the analysis which include the following information:
- Whether the vulnerability can be exploited or not.
- URL.
- Cross Site Scripting type: Stored or Reflected.
- HTTP method used (GET/POST).
- Parameter name.
- Context.
- Provides several payloads to perform the exploitation of the vulnerability.
- Basic authentication support.
- Customizable spidering module that allows the definition of new regular expressions through a configuration file.
Reports:
Output reports: ✔
Customizable reports in XML format with the following options:
- Detected pages by the spidering module.
- Detected Forms and parameters.
- Cross Site Scripting vulnerabilities detected and exploited.
Basic usage:
Perform a vulnerability scan on a web application. Start the tool and on the GUI will be available three tabs: “Scan”, “XSS Exploit” and “Report”.
On the “Scan” tab provide the web application URL address and press the “Spider” button. The tool will generate a list on the right panel of detected URLs, Forms and parameters from the web application.
Press the “Analyze” button under the displayed results to begin the Cross Site Scripting scan analysis. Once the analysis is completed, the number of vulnerabilities, both detected and exploitable is displayed on the progress bar.
The analysis results will be present on the “XSS” tab.
The “Exploit” tab presents the available payload options to be used for the exploitation of the Cross Site Scripting vulnerabilities. Choose any vulnerability from the “Exploitable XSS” as well as a payload type.
By pressing the “Generate exploit code”, the tool will generate and display the required payload to exploit the vulnerability; for a POST petition it will include the payload while on a GET petition it will include the payload along the URL.
Finally on the “Report” tab select the required export format and press the “Save” button.
Resources:
Link: http://www.scrt.ch/en/attack/downloads/xssploit
Author(s): SCRT Information Security
Contact: info [at] scrt.ch
License: GNU GENERAL PUBLIC LICENSE, Versión 2