Share
## https://sploitus.com/exploit?id=B1D5736B-DFBD-5699-B3CB-59157C385D35
# XSSAudit v2.0 โ Advanced XSS Vulnerability Scanner
> **For authorised security testing only.**
---
## Features
| Feature | Description |
|---|---|
| Heuristic Probing | 3-probe preprocessing identifies unmutated chars & injection context before fuzzing |
| Smart Payload Selection | Filters 80-120 payloads down to ~20-35 relevant ones per parameter |
| Reflection Testing | 15 canary XSS payloads with DOM context classification |
| Fuzzing Engine | Wordlist fuzzing with 153 payloads, exact/fuzzy matching, mutation detection |
| Timing Analysis | Time-based delay detection (indicative โ always confirm manually) |
| WAF Fingerprinting | Detects 15 WAF products (ModSecurity, Cloudflare, AWS WAF, F5, Imperva, etc.) |
| CURL Reproducibility | Every finding includes a copy-pasteable `curl` command |
| HTML Report | Self-contained dark-theme report with risk colour coding |
| Injection Types | GET params, POST body (form/JSON), HTTP headers, cookies |
| Headless Browser | Render payload in real browser (Chromium/Firefox/WebKit) + monitor JS execution |
| Dialog Detection | Capture `alert()` / `confirm()` / `prompt()` = CONFIRMED XSS |
| Sink Analysis | Monitor dangerous sinks: `innerHTML`, `eval()`, `setTimeout()`, `document.write()` |
| Event Triggering | Auto-trigger `click`, `mouseover`, `focus` to test event handler XSS |
| Stored XSS | Multi-step: inject โ wait โ fetch โ verify for stored XSS |
| Risk Refinement | Phase 1 findings upgraded: CONFIRMED vs REFLECTED_ONLY vs SAFE |
| Screenshots | Capture browser state when payload executes |
---
## Installation
### Phase 1 Only (Static Analysis)
```bash
# 1. Clone / unzip the project
cd xssaudit
# 2. Create virtual environment (recommended)
python -m venv .venv
source .venv/bin/activate # Windows: .venv\Scripts\activate
# 3. Install core dependencies
pip install -r requirements.txt
```
**Requirements:** Python 3.8+
### Phase 2 (Add Dynamic Analysis โ Optional)
```bash
# Install Playwright (optional)
pip install -r requirements-dynamic.txt
# Download browser binaries (~500 MB)
playwright install
# Or specific browser:
playwright install chromium
```
**Note:** If Playwright is not installed, `--dynamic` flag will gracefully fallback to Phase 1 static analysis.
**See [`DEPENDENCIES.md`](DEPENDENCIES.md) for detailed troubleshooting & resource info.**
---
## Quick Start
### Phase 1 โ Static Analysis (Always Available)
```bash
# Basic scan โ query parameter
python main.py --url "https://target.com/search" --param q
# POST body parameter
python main.py --url "https://target.com/login" --param username --method POST --body-param username
# Multiple parameters
python main.py --url "https://target.com/search" --param q category
# With authentication
python main.py --url "https://target.com/api" --param q \
--headers "Authorization: Bearer TOKEN" \
--cookies "session=abc123"
# Header injection
python main.py --url "https://target.com/" --header-param "User-Agent"
# Cookie injection
python main.py --url "https://target.com/" --cookie-param "pref"
# Custom output path
python main.py --url "https://target.com/search" --param q --output reports/scan.html
# Disable smart selection (test all payloads)
python main.py --url "https://target.com/search" --param q --no-smart
# Verbose debug logging
python main.py --url "https://target.com/search" --param q --verbose
# Use YAML config file
python main.py --config xssaudit.config.yml
# Skip SSL verification (untrusted certs)
python main.py --url "https://target.com/search" --param q --insecure
```
### Phase 2 โ Dynamic Analysis (Optional, with `--dynamic`)
```bash
# Basic dynamic analysis (Chromium)
python main.py --url "https://target.com/search" --param q --dynamic
# Dynamic with Firefox browser
python main.py --url "https://target.com/search" --param q --dynamic --browser firefox
# Capture screenshot when payload executes
python main.py --url "https://target.com/search" --param q --dynamic --screenshot
# Stored XSS detection: POST payload, then fetch from another URL
python main.py --url "https://target.com/api/comment" --param text --method POST \
--dynamic --stored-url "https://target.com/comments" --stored-delay 3
# Combine Phase 1 + Phase 2: static analysis + browser confirmation
python main.py --url "https://target.com/search" --param q --dynamic --verbose
```
**Note:** Dynamic analysis requires Playwright to be installed. If unavailable, tool falls back to Phase 1 static analysis automatically.
---
## CLI Reference
```
Usage: python main.py [OPTIONS]
Target:
--url URL Target URL (required)
--method GET|POST HTTP method (default: GET)
--param PARAM [PARAM...] Query/GET parameter(s) to test
Injection Points:
--body-param PARAM POST body parameter(s)
--body-format FORM|JSON Body encoding (default: form-urlencoded)
--header-param HEADER HTTP header(s) to inject
--cookie-param COOKIE Cookie(s) to inject
Authentication:
--headers KEY:VALUE Extra HTTP headers
--cookies KEY=VALUE Extra cookies
Wordlist:
--wordlist FILE Custom wordlist path (default: built-in)
--match-mode EXACT|FUZZY Match strategy (default: EXACT)
--fuzzy-threshold FLOAT Fuzzy threshold 0.0-1.0 (default: 0.8)
--no-smart Disable smart payload selection
Network:
--timeout SECONDS Request timeout (default: 10)
--delay MS Delay between requests ms (default: 100)
--insecure Disable SSL verification
Features:
--no-heuristic Disable heuristic probing
--no-waf Disable WAF detection
Output:
--output FILE Report path (default: xssaudit_report.html)
--config FILE YAML config file
--verbose Debug logging
```
---
## YAML Configuration
```yaml
# xssaudit.config.yml
target:
url: "https://vulnerable.example.com/search"
method: "GET"
timeout: 10
verify_ssl: true
injection_points:
- type: "query_param"
name: "q"
- type: "body_param"
name: "search_term"
body_format: "form-urlencoded"
authentication:
headers:
Authorization: "Bearer YOUR_TOKEN"
cookies:
session: "abc123"
wordlist:
source: "DEFAULT"
match_mode: "EXACT"
smart_selection: true
features:
heuristic_probing: true
waf_detection: true
```
---
## Running Tests
```bash
# Install test dependencies
pip install pytest pytest-cov flask
# Run all tests
pytest tests/ -v
# Run with coverage report
pytest tests/ -v --cov=. --cov-report=term-missing
# Run specific test file
pytest tests/test_http_client.py -v
pytest tests/test_modules.py -v
pytest tests/test_integration.py -v
# Run and save coverage HTML
pytest tests/ --cov=. --cov-report=html
open htmlcov/index.html
```
---
## Project Structure
```
xssaudit/
โโโ main.py โ CLI entry point
โโโ models.py โ Data classes & enums
โโโ config.py โ CLI + YAML config parser
โโโ logger.py โ Logging setup
โโโ requirements.txt
โโโ xssaudit.config.yml โ Config template
โ
โโโ core/
โ โโโ http_client.py โ Module 4: HTTP Client
โ โโโ heuristic_prober.py โ Module 4.5: Heuristic Probing
โ โโโ reflection_tester.py โ Module 1: Reflection Testing
โ โโโ fuzzing_engine.py โ Module 2: Fuzzing Engine
โ โโโ timing_analyzer.py โ Module 3: Time-Based Analysis
โ โโโ waf_detector.py โ Module 4.5+: WAF Fingerprinting
โ
โโโ orchestrator/
โ โโโ scan_orchestrator.py โ Scan coordinator + ResultAggregator
โ
โโโ reporting/
โ โโโ report_generator.py โ HTML report (Jinja2)
โ
โโโ tests/
โโโ conftest.py โ pytest fixtures + Flask mock server
โโโ mock_server.py โ Flask test server (8 endpoints)
โโโ test_http_client.py โ Module 4 unit tests
โโโ test_modules.py โ Modules 4.5, 1, 2 unit tests
โโโ test_waf_timing.py โ Modules 3, 4.5+ unit tests
โโโ test_integration.py โ Full pipeline integration tests
```
---
## How Heuristic Probing Works
Instead of blasting 100+ payloads immediately, XSSAudit first sends **3 lightweight probes**:
```
Probe 1: zxcv"' โ HTML/tag context
Probe 2: zxcv"'=> โ Attribute-breaking context
Probe 3: zxcv';alert(1);// โ Script/JS context
```
Each probe's response is analysed character-by-character:
- `` โ unmutated? encoded? stripped?
- `"` `'` `;` `=` โ same analysis
**Result:** Only payloads using characters the server actually passes through are tested. If `` variants are skipped automatically.
---
## Injection Point Types
| Type | CLI Flag | Example |
|---|---|---|
| Query parameter | `--param q` | `?q=PAYLOAD` |
| POST body | `--body-param field` | `field=PAYLOAD` |
| HTTP header | `--header-param X-Custom` | `X-Custom: PAYLOAD` |
| Cookie | `--cookie-param session` | `Cookie: session=PAYLOAD` |
---
## Risk Levels
| Level | Meaning |
|---|---|
| ๐ด CRITICAL | Unencoded reflection in script or attribute context |
| ๐ HIGH | Unencoded reflection in text node or URL attribute |
| ๐ก MEDIUM | Partial encoding or tag-name context |
| ๐ข LOW | Fully encoded โ likely safe, verify manually |
---
## Exit Codes
| Code | Meaning |
|---|---|
| `0` | Scan complete, no CRITICAL/HIGH findings |
| `1` | CRITICAL or HIGH findings detected |
| `130` | Interrupted by user (Ctrl+C) |
---
## Limitations (v1.0)
- **Static analysis only** โ DOM-XSS requiring JavaScript execution requires v2.0 (`--dynamic`)
- **Reflected XSS focus** โ Stored XSS multi-step scanning requires v2.0
- **Timing results are indicative** โ confirm all time-based findings manually
- **WAF false negatives** โ WAF-protected targets may hide vulnerabilities
- **Single-parameter polyglots** โ multi-parameter chain attacks not supported
---
## Legal Notice
XSSAudit is designed for **authorised penetration testing only**.
Use against systems you do not have explicit permission to test is illegal.
The authors accept no liability for misuse.