Share
## https://sploitus.com/exploit?id=B1D5736B-DFBD-5699-B3CB-59157C385D35
# XSSAudit v2.0 โ€” Advanced XSS Vulnerability Scanner

> **For authorised security testing only.**
---

## Features

| Feature | Description |
|---|---|
| Heuristic Probing | 3-probe preprocessing identifies unmutated chars & injection context before fuzzing |
| Smart Payload Selection | Filters 80-120 payloads down to ~20-35 relevant ones per parameter |
| Reflection Testing | 15 canary XSS payloads with DOM context classification |
| Fuzzing Engine | Wordlist fuzzing with 153 payloads, exact/fuzzy matching, mutation detection |
| Timing Analysis | Time-based delay detection (indicative โ€” always confirm manually) |
| WAF Fingerprinting | Detects 15 WAF products (ModSecurity, Cloudflare, AWS WAF, F5, Imperva, etc.) |
| CURL Reproducibility | Every finding includes a copy-pasteable `curl` command |
| HTML Report | Self-contained dark-theme report with risk colour coding |
| Injection Types | GET params, POST body (form/JSON), HTTP headers, cookies |
| Headless Browser | Render payload in real browser (Chromium/Firefox/WebKit) + monitor JS execution |
| Dialog Detection | Capture `alert()` / `confirm()` / `prompt()` = CONFIRMED XSS |
| Sink Analysis | Monitor dangerous sinks: `innerHTML`, `eval()`, `setTimeout()`, `document.write()` |
| Event Triggering | Auto-trigger `click`, `mouseover`, `focus` to test event handler XSS |
| Stored XSS | Multi-step: inject โ†’ wait โ†’ fetch โ†’ verify for stored XSS |
| Risk Refinement | Phase 1 findings upgraded: CONFIRMED vs REFLECTED_ONLY vs SAFE |
| Screenshots | Capture browser state when payload executes |

---

## Installation

### Phase 1 Only (Static Analysis)

```bash
# 1. Clone / unzip the project
cd xssaudit

# 2. Create virtual environment (recommended)
python -m venv .venv
source .venv/bin/activate        # Windows: .venv\Scripts\activate

# 3. Install core dependencies
pip install -r requirements.txt
```

**Requirements:** Python 3.8+

### Phase 2 (Add Dynamic Analysis โ€” Optional)

```bash
# Install Playwright (optional)
pip install -r requirements-dynamic.txt

# Download browser binaries (~500 MB)
playwright install

# Or specific browser:
playwright install chromium
```

**Note:** If Playwright is not installed, `--dynamic` flag will gracefully fallback to Phase 1 static analysis.

**See [`DEPENDENCIES.md`](DEPENDENCIES.md) for detailed troubleshooting & resource info.**

---

## Quick Start

### Phase 1 โ€” Static Analysis (Always Available)

```bash
# Basic scan โ€” query parameter
python main.py --url "https://target.com/search" --param q

# POST body parameter
python main.py --url "https://target.com/login" --param username --method POST --body-param username

# Multiple parameters
python main.py --url "https://target.com/search" --param q category

# With authentication
python main.py --url "https://target.com/api" --param q \
  --headers "Authorization: Bearer TOKEN" \
  --cookies "session=abc123"

# Header injection
python main.py --url "https://target.com/" --header-param "User-Agent"

# Cookie injection
python main.py --url "https://target.com/" --cookie-param "pref"

# Custom output path
python main.py --url "https://target.com/search" --param q --output reports/scan.html

# Disable smart selection (test all payloads)
python main.py --url "https://target.com/search" --param q --no-smart

# Verbose debug logging
python main.py --url "https://target.com/search" --param q --verbose

# Use YAML config file
python main.py --config xssaudit.config.yml

# Skip SSL verification (untrusted certs)
python main.py --url "https://target.com/search" --param q --insecure
```

### Phase 2 โ€” Dynamic Analysis (Optional, with `--dynamic`)

```bash
# Basic dynamic analysis (Chromium)
python main.py --url "https://target.com/search" --param q --dynamic

# Dynamic with Firefox browser
python main.py --url "https://target.com/search" --param q --dynamic --browser firefox

# Capture screenshot when payload executes
python main.py --url "https://target.com/search" --param q --dynamic --screenshot

# Stored XSS detection: POST payload, then fetch from another URL
python main.py --url "https://target.com/api/comment" --param text --method POST \
  --dynamic --stored-url "https://target.com/comments" --stored-delay 3

# Combine Phase 1 + Phase 2: static analysis + browser confirmation
python main.py --url "https://target.com/search" --param q --dynamic --verbose
```

**Note:** Dynamic analysis requires Playwright to be installed. If unavailable, tool falls back to Phase 1 static analysis automatically.

---

## CLI Reference

```
Usage: python main.py [OPTIONS]

Target:
  --url URL                 Target URL (required)
  --method GET|POST         HTTP method (default: GET)
  --param PARAM [PARAM...]  Query/GET parameter(s) to test

Injection Points:
  --body-param PARAM        POST body parameter(s)
  --body-format FORM|JSON   Body encoding (default: form-urlencoded)
  --header-param HEADER     HTTP header(s) to inject
  --cookie-param COOKIE     Cookie(s) to inject

Authentication:
  --headers KEY:VALUE       Extra HTTP headers
  --cookies KEY=VALUE       Extra cookies

Wordlist:
  --wordlist FILE           Custom wordlist path (default: built-in)
  --match-mode EXACT|FUZZY  Match strategy (default: EXACT)
  --fuzzy-threshold FLOAT   Fuzzy threshold 0.0-1.0 (default: 0.8)
  --no-smart                Disable smart payload selection

Network:
  --timeout SECONDS         Request timeout (default: 10)
  --delay MS                Delay between requests ms (default: 100)
  --insecure                Disable SSL verification

Features:
  --no-heuristic            Disable heuristic probing
  --no-waf                  Disable WAF detection

Output:
  --output FILE             Report path (default: xssaudit_report.html)
  --config FILE             YAML config file
  --verbose                 Debug logging
```

---

## YAML Configuration

```yaml
# xssaudit.config.yml
target:
  url: "https://vulnerable.example.com/search"
  method: "GET"
  timeout: 10
  verify_ssl: true

injection_points:
  - type: "query_param"
    name: "q"
  - type: "body_param"
    name: "search_term"
    body_format: "form-urlencoded"

authentication:
  headers:
    Authorization: "Bearer YOUR_TOKEN"
  cookies:
    session: "abc123"

wordlist:
  source: "DEFAULT"
  match_mode: "EXACT"
  smart_selection: true

features:
  heuristic_probing: true
  waf_detection: true
```

---

## Running Tests

```bash
# Install test dependencies
pip install pytest pytest-cov flask

# Run all tests
pytest tests/ -v

# Run with coverage report
pytest tests/ -v --cov=. --cov-report=term-missing

# Run specific test file
pytest tests/test_http_client.py -v
pytest tests/test_modules.py -v
pytest tests/test_integration.py -v

# Run and save coverage HTML
pytest tests/ --cov=. --cov-report=html
open htmlcov/index.html
```

---

## Project Structure

```
xssaudit/
โ”œโ”€โ”€ main.py                       โ† CLI entry point
โ”œโ”€โ”€ models.py                     โ† Data classes & enums
โ”œโ”€โ”€ config.py                     โ† CLI + YAML config parser
โ”œโ”€โ”€ logger.py                     โ† Logging setup
โ”œโ”€โ”€ requirements.txt
โ”œโ”€โ”€ xssaudit.config.yml           โ† Config template
โ”‚
โ”œโ”€โ”€ core/
โ”‚   โ”œโ”€โ”€ http_client.py            โ† Module 4: HTTP Client
โ”‚   โ”œโ”€โ”€ heuristic_prober.py       โ† Module 4.5: Heuristic Probing
โ”‚   โ”œโ”€โ”€ reflection_tester.py      โ† Module 1: Reflection Testing
โ”‚   โ”œโ”€โ”€ fuzzing_engine.py         โ† Module 2: Fuzzing Engine
โ”‚   โ”œโ”€โ”€ timing_analyzer.py        โ† Module 3: Time-Based Analysis
โ”‚   โ””โ”€โ”€ waf_detector.py           โ† Module 4.5+: WAF Fingerprinting
โ”‚
โ”œโ”€โ”€ orchestrator/
โ”‚   โ””โ”€โ”€ scan_orchestrator.py      โ† Scan coordinator + ResultAggregator
โ”‚
โ”œโ”€โ”€ reporting/
โ”‚   โ””โ”€โ”€ report_generator.py       โ† HTML report (Jinja2)
โ”‚
โ””โ”€โ”€ tests/
    โ”œโ”€โ”€ conftest.py               โ† pytest fixtures + Flask mock server
    โ”œโ”€โ”€ mock_server.py            โ† Flask test server (8 endpoints)
    โ”œโ”€โ”€ test_http_client.py       โ† Module 4 unit tests
    โ”œโ”€โ”€ test_modules.py           โ† Modules 4.5, 1, 2 unit tests
    โ”œโ”€โ”€ test_waf_timing.py        โ† Modules 3, 4.5+ unit tests
    โ””โ”€โ”€ test_integration.py       โ† Full pipeline integration tests
```

---

## How Heuristic Probing Works

Instead of blasting 100+ payloads immediately, XSSAudit first sends **3 lightweight probes**:

```
Probe 1: zxcv"'        โ†’ HTML/tag context
Probe 2: zxcv"'=>      โ†’ Attribute-breaking context
Probe 3: zxcv';alert(1);//     โ†’ Script/JS context
```

Each probe's response is analysed character-by-character:
- `` โ†’ unmutated? encoded? stripped?
- `"` `'` `;` `=` โ†’ same analysis

**Result:** Only payloads using characters the server actually passes through are tested. If `` variants are skipped automatically.

---

## Injection Point Types

| Type | CLI Flag | Example |
|---|---|---|
| Query parameter | `--param q` | `?q=PAYLOAD` |
| POST body | `--body-param field` | `field=PAYLOAD` |
| HTTP header | `--header-param X-Custom` | `X-Custom: PAYLOAD` |
| Cookie | `--cookie-param session` | `Cookie: session=PAYLOAD` |

---

## Risk Levels

| Level | Meaning |
|---|---|
| ๐Ÿ”ด CRITICAL | Unencoded reflection in script or attribute context |
| ๐ŸŸ  HIGH | Unencoded reflection in text node or URL attribute |
| ๐ŸŸก MEDIUM | Partial encoding or tag-name context |
| ๐ŸŸข LOW | Fully encoded โ€” likely safe, verify manually |

---

## Exit Codes

| Code | Meaning |
|---|---|
| `0` | Scan complete, no CRITICAL/HIGH findings |
| `1` | CRITICAL or HIGH findings detected |
| `130` | Interrupted by user (Ctrl+C) |

---

## Limitations (v1.0)

- **Static analysis only** โ€” DOM-XSS requiring JavaScript execution requires v2.0 (`--dynamic`)
- **Reflected XSS focus** โ€” Stored XSS multi-step scanning requires v2.0
- **Timing results are indicative** โ€” confirm all time-based findings manually
- **WAF false negatives** โ€” WAF-protected targets may hide vulnerabilities
- **Single-parameter polyglots** โ€” multi-parameter chain attacks not supported

---

## Legal Notice

XSSAudit is designed for **authorised penetration testing only**.
Use against systems you do not have explicit permission to test is illegal.
The authors accept no liability for misuse.