Share
## https://sploitus.com/exploit?id=565F04BD-D101-57B6-868E-7CAE6DC6D15C
# DOM XSS Scanner & PoC Generator

**Developed by Vishal Bharad**

A comprehensive DOM-based vulnerability scanner that performs both static analysis and dynamic testing to detect Cross-Site Scripting (XSS) vulnerabilities in web applications. When XSS is **confirmed** (dynamically verified), it automatically generates Proof-of-Concept (PoC) HTML files.

---

## Features

- **Static Analysis** โ€” Scans JavaScript files for dangerous source-to-sink data flows (innerHTML, eval, document.write, etc.)
- **Dynamic Testing** โ€” Uses Selenium to load pages and inject payloads, confirming real XSS with alert() detection
- **javascript: Protocol Injection** โ€” Detects and tests URL parameters used as navigation targets without protocol filtering
- **postMessage XSS Testing** โ€” Dynamically sends payloads via postMessage to test handlers for XSS
- **Prototype Pollution Detection** โ€” Identifies potential prototype pollution vectors
- **Sensitive Data Exposure** โ€” Finds hardcoded API keys, tokens, and internal URLs in JS files
- **Framework-Specific Scanning** โ€” Angular (bypassSecurityTrust), React (dangerouslySetInnerHTML), jQuery (.html(), .append())
- **PoC Generation** โ€” Generates ready-to-use PoC HTML files **only for confirmed vulnerabilities**
- **Multi-Format Reports** โ€” HTML, JSON, and TXT reports with severity filtering
- **Crawling** โ€” Recursive page crawling to discover and analyze all JavaScript on a target

---

## Requirements

### Python Version
- Python 3.8 or higher

### Required Packages

```
requests
tldextract
jsbeautifier
beautifulsoup4
colorama
```

### Optional (for Dynamic Testing)

```
selenium
```

> **Note:** Dynamic testing (actual XSS confirmation via browser) requires Selenium + Chrome/ChromeDriver. Without it, the tool still performs heuristic detection and full static analysis.

---

## Installation

### 1. Clone or copy the tool

```powershell
cd C:\TFS\Tools\XSS
```

### 2. Install required dependencies

```powershell
pip install requests tldextract jsbeautifier beautifulsoup4 colorama
```

### 3. Install Selenium (recommended, for dynamic XSS confirmation)

```powershell
pip install selenium
```

### 4. Install ChromeDriver

- Download from: https://googlechromelabs.github.io/chrome-for-testing/
- Ensure `chromedriver.exe` is in your system PATH, or in the same directory as the script
- ChromeDriver version must match your installed Chrome browser version

Alternatively, install `webdriver-manager` for automatic driver management:

```powershell
pip install webdriver-manager
```

---

## Usage

### Basic Scan (Single URL)

```powershell
python dom.py -u https://example.com
```

### Scan with PoC Generation

```powershell
python dom.py -u https://example.com --generate-pocs
```

### Scan with Specific URL Parameter Testing

```powershell
python dom.py -u "https://target.com/login.html?loginUrl=" --extra-params loginUrl --generate-pocs -v
```

### Scan Multiple URLs from File

```powershell
python dom.py -l urls.txt --generate-pocs --report-format all
```

### Analyze Local JavaScript Files

```powershell
python dom.py --js-file app.js utils.js
python dom.py --js-file ./js-directory/
```

### Full Scan with All Options

```powershell
python dom.py -u https://target.com --depth 3 --threads 10 --all-origins --generate-pocs --report-format all -v
```

### With Authentication (Cookies/Headers)

```powershell
python dom.py -u https://target.com --cookies "session=abc123; token=xyz" --headers "Authorization: Bearer mytoken"
```

### With Proxy (e.g., Burp Suite)

```powershell
python dom.py -u https://target.com --proxy http://127.0.0.1:8080
```

### Disable Dynamic Testing

```powershell
python dom.py -u https://target.com --no-dynamic
```

### Confirmed XSS Finding
https://github.com/vbharad/DOMXSSScanner/blob/main/Confirmed%20XSS.png

---

## Command-Line Options

| Option | Description |
|--------|-------------|
| `-u, --url` | Target URL to scan |
| `-l, --url-list` | File containing list of URLs (one per line) |
| `--js-file` | Local JavaScript file(s) or directory to analyze |
| `--depth` | Maximum crawl depth (default: 2) |
| `--threads` | Concurrent threads for fetching JS files (default: 5) |
| `--all-origins` | Include JS files from all origins (not just same-origin) |
| `--no-beautify` | Skip JS beautification (faster but less accurate) |
| `--dynamic` | Enable dynamic URL parameter testing (default: enabled) |
| `--no-dynamic` | Disable dynamic URL parameter testing |
| `--extra-params` | Additional URL parameter names to test |
| `--min-severity` | Minimum severity to report: critical, high, medium, low, info |
| `--cookies` | Cookies to send (format: "name1=val1; name2=val2") |
| `--headers` | Custom headers (format: "Header-Name: value") |
| `--proxy` | HTTP/HTTPS proxy (e.g., http://127.0.0.1:8080) |
| `-o, --output-dir` | Output directory for reports/PoCs (default: dom_xss_reports) |
| `--report-format` | Report format(s): json, html, txt, all |
| `--generate-pocs` | Generate PoC HTML files for confirmed findings |
| `-v, --verbose` | Enable verbose/debug output |

---

## How It Works

### Scan Phases

1. **Phase 1: JavaScript Collection**
   - Crawls target pages recursively (up to `--depth`)
   - Collects external JS file URLs and inline `` content
   - Extracts JS from event handler attributes and `javascript:` hrefs

2. **Phase 2: Static Analysis of External JS**
   - Fetches all discovered JS files
   - Beautifies code for accurate line numbers
   - Scans for dangerous sinks (innerHTML, eval, location, jQuery methods, etc.)
   - Traces source-to-sink data flows
   - Calculates confidence based on proximity, variable tracing, and sanitization detection

3. **Phase 3: Static Analysis of Inline Scripts**
   - Same analysis as Phase 2 but on inline `` content

4. **Phase 3.5: Dynamic Testing**
   - **URL Parameter Testing:** Detects URL params, injects `javascript:` protocol payloads, checks for reflection and alert execution
   - **postMessage Testing:** Detects message handlers, sends XSS payloads via `postMessage()`, confirms alert execution
   - Findings are marked as **CONFIRMED** only when alert() actually fires

5. **Phase 4: PoC Generation (Confirmed Only)**
   - Generates tailored PoC HTML files **only** for dynamically confirmed XSS
   - PoCs include test payloads, attack description, and copy-to-clipboard reports

6. **Phase 5: Report Generation**
   - All findings (static + dynamic) appear in the final report
   - Reports available in HTML, JSON, and TXT formats

---

## Output Structure

```
dom_xss_reports/
โ”œโ”€โ”€ pocs/
โ”‚   โ”œโ”€โ”€ poc_CONFIRMED_1_javascript_protocol_injection_critical.html
โ”‚   โ”œโ”€โ”€ poc_CONFIRMED_2_postmessage_xss_critical.html
โ”‚   โ””โ”€โ”€ ...
โ”œโ”€โ”€ report_https___target_com_20260429_143000.html
โ”œโ”€โ”€ report_https___target_com_20260429_143000.json
โ””โ”€โ”€ report_https___target_com_20260429_143000.txt
```

---

## Vulnerability Categories Detected

### Critical
- DOM XSS via innerHTML/outerHTML/document.write
- JavaScript execution via eval()/Function()/setTimeout with strings
- javascript: protocol injection via URL parameters
- postMessage XSS (no origin validation + unsafe data handling)
- Angular bypassSecurityTrust*
- Hardcoded cloud credentials (AWS, GitHub, Stripe, etc.)
- iframe srcdoc injection

### High
- jQuery XSS sinks (.html(), .append(), $() with user input)
- URL/attribute manipulation (.src=, .href=, .action=)
- Prototype Pollution vectors
- postMessage handlers without origin checks
- React dangerouslySetInnerHTML
- Client-side template injection

### Medium
- Open Redirect via DOM
- Cookie manipulation
- WebSocket injection
- DOM Clobbering
- Dangerous APIs (createContextualFragment, DOMParser, etc.)

### Low/Info
- Debug information exposure
- Sensitive comments in code

---

## Examples

### Detecting javascript: Protocol XSS (like your loginUrl case)

```powershell
python dom.py -u "https://app.example.com/login.html?isiclogin=false&loginUrl=" --generate-pocs -v
```

The tool will:
1. Detect `loginUrl` as a potential redirect parameter
2. Inject `javascript:alert(1337)` and other payloads
3. If Selenium is available, open the page and confirm if alert fires
4. Generate a PoC HTML file only if confirmed

### Detecting postMessage XSS

```powershell
python dom.py -u "https://app.example.com/dashboard" --generate-pocs
```

The tool will:
1. Load the page in headless Chrome
2. Detect if message event listeners exist
3. Send XSS payloads via `window.postMessage()`
4. If alert fires โ†’ confirmed, PoC generated

---

## Limitations

1. **Dynamic testing requires Selenium + Chrome** โ€” Without it, only static analysis and heuristic detection are performed (no confirmed PoCs generated)

2. **Single-page application (SPA) challenges** โ€” Pages that require complex user interaction or authentication flows before revealing vulnerable code may need `--cookies` or manual exploration

3. **Rate limiting** โ€” Aggressive crawling may trigger WAF/rate limits. Use `--proxy` with Burp Suite for throttling

4. **False positives in static analysis** โ€” Source-to-sink tracing is heuristic-based. Not all reported sinks are exploitable. Only `[CONFIRMED]` findings are verified

5. **Client-side rendering** โ€” If JavaScript is loaded dynamically (lazy loading, code splitting), the crawler may not discover all JS files. Increase `--depth` or use `--js-file` for local analysis

6. **CSP/frame-ancestors** โ€” Targets with strict Content Security Policy may block PoC payloads from executing even if the vulnerability exists

7. **Obfuscated/minified code** โ€” While `jsbeautifier` handles most minified code, heavily obfuscated JS (webpack chunks, custom obfuscation) may reduce detection accuracy

8. **Authentication-gated pages** โ€” Use `--cookies` and `--headers` to provide valid session tokens for authenticated scanning

9. **No CSRF token handling** โ€” The tool does not automatically handle CSRF-protected forms

10. **Browser version dependency** โ€” ChromeDriver version must match installed Chrome version exactly

---

## Exit Codes

| Code | Meaning |
|------|---------|
| 0 | No critical or high findings |
| 1 | High severity findings detected |
| 2 | Critical severity findings detected |
| 130 | Scan interrupted by user (Ctrl+C) |

---

## Tips

- Always use `--generate-pocs` to get PoC files for confirmed findings
- Use `-v` (verbose) for debugging when the tool doesn't detect expected issues
- Use `--extra-params paramName` if you know a specific parameter is vulnerable but not in the built-in list
- Combine with Burp Suite: `--proxy http://127.0.0.1:8080` to capture all traffic
- For large applications, scan specific pages rather than the root URL
- Check the HTML report for a visual summary with severity filtering

---

## Disclaimer

This tool is intended for authorized security testing, bug bounty programs, and internal security assessments. Always obtain proper authorization before scanning any target. Unauthorized scanning is illegal and unethical.

---

**Developed by Vishal Bharad**