Share
## https://sploitus.com/exploit?id=8F0CF880-F8AD-516D-B993-67F042D9A833
```
βββββββββββ βββ ββββββ βββββββ βββββββ βββ βββββββ ββββββ ββββ βββ
βββββββββββ βββββββββββββββββββββββββββ βββββββββββ βββββββββββββ βββ
βββββββββββββββββββββββββββββββββββββββββ ββββββ ββββββββββββββββββ βββ
ββββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββββββββββββ
βββββββββββ ββββββ ββββββ βββββββββ ββββββββββββββββββ ββββββ ββββββ
βββββββββββ ββββββ ββββββ βββββββββ βββββ βββββββ βββ ββββββ βββββ
```
**Madara Uchiha's Sharingan β The Eye That Sees Every Vulnerability**
*"The Sharingan reflects all that exists in this world and allows its owner to see through every deception."*
β Madara Uchiha
[](https://python.org)
[](LICENSE)
[]()
[]()
[]()
---
## β οΈ Legal Disclaimer
> **This tool is intended for authorized security testing and educational purposes ONLY.**
> Using this tool against systems you do not own or have explicit written permission to test is **illegal** and may result in criminal prosecution.
> The author assumes **zero liability** for any misuse or damage caused by this tool.
> **You are solely responsible for your actions.**
---
## π΄ What is Sharingan?
**Sharingan** is a research-grade XSS (Cross-Site Scripting) detection tool built for penetration testers, bug bounty hunters, and security engineers. Named after Madara Uchiha's legendary eye technique that can perceive any attack, Sharingan is engineered to detect **every known class of XSS vulnerability** across web applications.
Built from scratch using real-world research from:
- [OWASP XSS Filter Evasion Cheatsheet](https://owasp.org/www-community/xss-filter-evasion-cheatsheet)
- [PortSwigger Web Security Academy](https://portswigger.net/web-security/cross-site-scripting)
- [HackerOne Disclosed Reports](https://hackerone.com/hacktivity)
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)
- [HackTricks Book](https://book.hacktricks.xyz)
- [Snyk CVE Database](https://security.snyk.io) (2019β2025)
- [Intigriti Monthly XSS Challenges](https://intigriti.com) (2023β2024)
- Cure53 mXSS Research (Masato Kinugawa)
- buer.haus DOM Clobbering Research (2024)
---
## π₯· Detection Arsenal β 30 Vectors
### Injection Surface
| # | Vector | Severity Range |
|---|--------|---------------|
| 01 | **Reflected XSS** β Context-aware: HTML / Attr / JS / CSS / URL / Template | CRITICALβHIGH |
| 02 | **Path-Based XSS** β URL path segment reflection | HIGH |
| 03 | **Stored XSS** β HTML forms (GET + POST), field-by-field | CRITICALβHIGH |
| 04 | **JSON API XSS** β REST / GraphQL body field injection | HIGH |
| 05 | **DOM Static Analysis** β 14 taint sources β 15 critical sinks | CRITICALβMEDIUM |
| 06 | **DOM Fragment / Query** β URL hash and query string DOM injection | HIGH |
| 07 | **Blind XSS (OAST)** β Out-of-band deferred execution (admin panels) | CRITICAL |
| 08 | **Second-Order XSS** β Stored safely, rendered unsafely elsewhere | CRITICAL |
### HTTP Transport Layer
| # | Vector | Severity Range |
|---|--------|---------------|
| 09 | **Header Injection XSS** β 16 headers: Referer, X-Forwarded-*, Via, Origin... | HIGH |
| 10 | **Cookie-Based XSS** β Cookie values reflected in response body | HIGH |
| 11 | **Web Cache Poisoning β XSS** β Unkeyed headers + cache hit = stored for all users | HIGHβMEDIUM |
### Endpoint Special Cases
| # | Vector | Severity Range |
|---|--------|---------------|
| 12 | **JSONP Endpoint XSS** β Arbitrary callback function name injection | HIGH |
| 13 | **XSSI Detection** β Dynamic JS auth vs no-auth response diff | MEDIUM |
| 14 | **Open Redirect β XSS** β `javascript:` URI via 32 redirect param names | HIGH |
| 15 | **SVG / File Upload XSS** β Malicious SVG, polyglot upload vectors | CRITICAL |
| 16 | **Server-Side XSS β PDF** β HTML injection into headless browser PDF generators | HIGHβINFO |
| 17 | **Markdown / Rich Text XSS** β `[x](javascript:)`, ``, raw HTML in MD | HIGH |
### Client-Side Deep Analysis
| # | Vector | Severity Range |
|---|--------|---------------|
| 18 | **postMessage XSS** β Wildcard `addEventListener`, no origin validation | HIGH |
| 19 | **Prototype Pollution β DOM XSS** β `__proto__` gadget chains | HIGHβMEDIUM |
| 20 | **DOM Clobbering β XSS** β `id`/`name` attribute global variable override | MEDIUM |
| 21 | **Mutation XSS (mXSS)** β DOMPurify bypass, browser parser mutation | HIGH |
| 22 | **Client-Side Template Injection** β AngularJS sandbox escape, Vue `v-html`, Handlebars | CRITICAL |
| 23 | **Framework Detection** β Angular / Vue / React / jQuery / Handlebars risk mapping | INFO |
### Evasion & Encoding
| # | Vector | Severity Range |
|---|--------|---------------|
| 24 | **WAF Detection + Adaptive Bypass** β Auto case/null/encode rotation on 403/429 | CRITICAL |
| 25 | **Encoding Bypass** β URL / HTML entities / Unicode / base64 / UTF-7 / charCode | HIGH |
### Configuration Audit
| # | Vector | Severity Range |
|---|--------|---------------|
| 26 | **CSP Deep Audit** β unsafe-inline/eval, wildcards, JSONP bypass domains, missing form-action | HIGHβLOW |
| 27 | **Security Header Audit** β 9 headers with per-header fix guidance | MEDIUMβINFO |
| 28 | **Dangling Markup Injection** β iframe name / img src data exfiltration | MEDIUM |
| 29 | **Self-XSS + Escalation Analysis** β CSRF chain + clickjacking path suggestions | LOW |
| 30 | **iframe / srcdoc / object / embed XSS** β Nested srcdoc, data: URI vectors | HIGH |
---
## π Payload Arsenal
```
329 payloads across 27 categories
probe 8 js_context 16 mxss 12
reflected 41 attr_context 17 csti 14
filter_bypass 42 html_context 11 prototype_poll 10
encoding 18 dom 10 dom_clobbering 6
open_redirect 13 markdown 10 pdf_xss 7
svg_upload 5 blind 8 waf_bypass 16
csp_bypass 10 polyglot 9 second_order 8
json_xss 7 dangling_markup 7 header 7
iframe_srcdoc 8 xssi 4 stored 5
```
---
## π Installation
### Requirements
- Python 3.8+
- `pip3` package manager
### Quick Install
```bash
git clone https://github.com/YOUR_USERNAME/sharingan.git
cd sharingan
pip3 install -r requirements.txt
python3 sharingan.py --help
```
### Manual Dependencies
```bash
pip3 install requests beautifulsoup4 colorama
```
> Dependencies are also auto-installed on first run if missing.
---
## π» Usage
### Basic Scan
```bash
python3 sharingan.py -u "https://target.com/search?q=test"
```
### Full Scan + HTML Report
```bash
python3 sharingan.py -u "https://target.com/search?q=test" -o report.html
```
### Authenticated Crawl (all 30 vectors)
```bash
python3 sharingan.py -u "https://target.com" --crawl -c "session=abc123; user=admin"
```
### Blind XSS with Local OAST Listener
```bash
python3 sharingan.py -u "https://target.com" -m blind --blind
# Sharingan starts a local HTTP listener and injects callbacks
```
### Blind XSS with Burp Collaborator
```bash
python3 sharingan.py -u "https://target.com" --blind --callback https://xyz.burpcollaborator.net
```
### Targeted Mode Combos
```bash
# DOM + Prototype Pollution + CSTI + mXSS
python3 sharingan.py -u "https://target.com/app" -m dom,pp,csti,mxss,iframe
# Markdown + PDF + Stored (CMS/blog targets)
python3 sharingan.py -u "https://target.com/blog" -m markdown,pdf,stored
# WAF bypass mode + encoding
python3 sharingan.py -u "https://target.com" -m reflected,waf
# Security audit only (fast, no active injection)
python3 sharingan.py -u "https://target.com" -m audit
```
### List All Payloads
```bash
python3 sharingan.py --list-payloads
```
---
## βοΈ All Options
```
-u, --url URL Target URL (required)
-m, --mode MODES Scan modes, comma-separated (default: all)
-t, --threads N Concurrent threads (default: 5)
--timeout N HTTP timeout in seconds (default: 12)
-c, --cookie STR Session cookies: 'session=abc; user=xyz'
-H, --header STR Custom header 'Name: Value' (repeatable)
--user-agent STR Custom User-Agent string
--crawl Crawl site before scanning
--crawl-depth N Crawl depth (default: 2)
--max-urls N Max URLs to test (default: 100)
--stop-on-first Stop after first finding per parameter
--blind Enable blind XSS OAST mode
--callback URL External OAST callback URL
--lport N Local OAST listener port (default: 18891)
-o, --output FILE Save report: report.txt | .json | .html
--list-payloads List all payload categories and exit
--no-color Disable colored terminal output
```
### Available Scan Modes
| Mode | Description |
|------|-------------|
| `all` | All 30 vectors (default) |
| `reflected` | Reflected XSS + 6-context detection |
| `stored` | Stored XSS via HTML forms |
| `json` | JSON/REST/GraphQL API body injection |
| `dom` | DOM static taint analysis + dynamic fragment |
| `blind` | Blind XSS OAST callbacks |
| `second` | Second-order XSS |
| `headers` | 16 HTTP header injections |
| `cookie` | Cookie value reflection |
| `cache` | Web cache poisoning |
| `jsonp` | JSONP callback injection |
| `redirect` | Open redirect β javascript: URI |
| `pp` | Prototype pollution β DOM XSS |
| `csti` | Client-side template injection |
| `mxss` | Mutation XSS / DOMPurify bypass |
| `svg` | SVG file upload XSS |
| `markdown` | Markdown / rich-text XSS |
| `pdf` | Server-side XSS β PDF generator |
| `clobber` | DOM clobbering |
| `dangling` | Dangling markup injection |
| `waf` | WAF detection + adaptive evasion |
| `iframe` | iframe / srcdoc / object / embed XSS |
| `self` | Self-XSS + escalation analysis |
| `audit` | CSP audit + 9-header security check |
---
## π Report Formats
Sharingan produces three report formats:
**HTML Report** (`-o report.html`) β Dark Sharingan-themed dashboard with severity badges, full payload details, and remediation guidance.
**JSON Report** (`-o report.json`) β Machine-readable structured output for integration into CI/CD pipelines or SIEM tools.
**Text Report** (`-o report.txt`) β Simple text format for documentation and ticket systems.
---
## π¬ Research Backing
Every detection vector is backed by real-world vulnerability research:
| Vector | Source |
|--------|--------|
| mXSS / DOMPurify bypass | Masato Kinugawa, Cure53 |
| Prototype Pollution β DOM XSS | Intigriti October 2024 Challenge |
| DOM Clobbering | buer.haus 2024 research |
| JSONP CSP bypass | PortSwigger Web Security Academy |
| PDF SSXSS (wkhtmltopdf/PhantomJS) | PortSwigger "Portable Data Exfiltration" |
| Markdown XSS | Snyk CVE-2024-21535 (marked.js), HackTricks |
| XSSI | HackTricks, HackerOne disclosed reports |
| Web cache poisoning | James Kettle / PortSwigger research |
| iframe srcdoc XSS | HackerOne FreshRSS CVE 2024, Mozilla Bug 1338029 |
| Second-order XSS | OWASP Testing Guide v4.2 |
| Dangling markup | PortSwigger 2023 research |
| Self-XSS escalation | Bugcrowd XSS escalation guide |
| CSP form-action bypass | PortSwigger 2024 |
---
## π Repository Structure
```
sharingan/
βββ sharingan.py # Main scanner (all 30 vectors)
βββ requirements.txt # Python dependencies
βββ README.md # This file
βββ LICENSE # MIT License
βββ CHANGELOG.md # Version history
βββ .github/
β βββ ISSUE_TEMPLATE/
β βββ bug_report.md
β βββ feature_request.md
βββ docs/
β βββ vectors.md # Detailed vector documentation
β βββ payloads.md # Payload reference
β βββ examples.md # Usage examples
βββ payloads/
β βββ custom.txt # Add your own payloads (one per line)
βββ examples/
βββ basic_scan.sh
βββ authenticated_crawl.sh
βββ blind_xss.sh
```
---
## π€ Contributing
Contributions are welcome. Please:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/new-vector`)
3. Add your detection vector with research backing
4. Submit a pull request with a detailed description
Please do **not** submit payloads from unauthorized testing.
---
## π License
MIT License β see [LICENSE](LICENSE) for details.
---
**"In this world, wherever there is light, there are also shadows."**
*β Madara Uchiha*
β Star this repo if Sharingan found a bug for you.