Share
## https://sploitus.com/exploit?id=E86F3FBD-4EEE-5EEE-B6B8-6195B238B1AE
# XSS Scanner – Automated Cross-Site Script Vulnerability Scanner

A fully featured XSS vulnerability scanner that supports detection of reflective, storage, and DOM-based XSS attacks. It features dynamic crawling, context-aware payloads, concurrent scanning, resume after interruptions, and reports in multiple formats.

## Features

- **Dynamic Crawling**: Based on Playwright, supports JavaScript rendering, SPA pages, and dynamic link extraction.
- **Three Types of XSS Detection**:
  - **Reflective**: GET parameters, forms (including `multipart/form-data`)
  - **Storage**: Multi-page validation after submission, automatic cleanup of test data
  - **DOM-Based**: Common sinks like `innerHTML`, `eval`, `setTimeout`, testing various sources like `hash`, `search`
- **Context-Aware**: Automatically identifies payload injection locations (HTML, attributes, JS) and selects precise payloads.
- **Intelligent Payload Library**: Includes variants like case-bypass, HTML entities, Unicode encoding.
- **Efficient Scanning**: Supports concurrent threads, resume after interruption (`Ctrl+C` to save progress).
- **Report Generation**: CSV + JSON format, including vulnerability type, risk level, and recommendations for fixes.
- **Flexible Configuration**: Timeout settings, depth, proxy, User-Agent, Cookie/Header import.

## Installation

### 1. Clone the project

```bash
git clone https://github.com/AukSoryu/xss_scanner.git
cd xss_scanner
```

### 2. Install dependencies

Create a `requirements.txt` file (if it doesn't exist):

```tex
requests
beautifulsoup4
playwright
```

Then execute:

```bash
pip install -r requirements.txt
playwright install chromium
```

## Configuration

Edit `config.py` to adjust the following parameters:

| Parameter       | Default       | Description                                      |
|------------------|--------------|--------------------------------------------------|
| `TIMEOUT`        | 10          | HTTP request timeout (in seconds)                |
| `RETRY_TIMES`    | 2           | Number of request retries                         |
| `MAX_DEPTH`      | 2           | Maximum crawling depth                          |
| `MAX_URLS`       | 100          | Maximum number of pages to crawl             |
| `THREADS`         | 4           | Number of concurrent scanning threads         |
| `HEADLESS`        | True         | Headless browser mode (Set to False to observe browser actions) |
| `PROXY`          | `None`        | HTTP/HTTPS proxy (supports environment variable `HTTP_PROXY`) |
| `USER_AGENTS`     | [...]         | Random User-Agent list                          |
| `LOG_LEVEL`       | `"INFO"`     | Log level (Not fully integrated, reserved)         |
| `OUTPUT_FORMAT`   | `"csv,json"`   | Report output format                               |

Set the proxy using environment variables:

```bash
export HTTP_PROXY=http://example.com:8080
export USER_AGENTS="Google Chrome/78; version=78"
```

```
export HTTP_PROXY=http://127.0.0.1:8080
```

## Usage

### Basic Scanning

```bash
python main.py http://testphp.vulnweb.com
```

### Scanning with Cookies

```bash
# String format
python main.py http://example.com --cookie "sessionid=abc123; user=admin"

# Reading from a file (each line: name=value)
python main.py http://example.com --cookie cookies.txt
```

### Scanning with Custom Headers (JSON File)

```bash
# Content of headers.json: {"Authorization": "Bearer token", "X-Custom": "value"}
python main.py http://example.com --headers headers.json
```

### Control of Scanning Process

- Pressing `Ctrl+C` will save the current progress in the `results/` directory. Running the same target URL again will resume the scan automatically, continuing on uncompleted pages. The progress file is automatically deleted after scanning. ### Output Reports

After scanning, two files are generated in the `results/` directory:

- `hostname_timestamp.csv`: A spreadsheet containing details like type, injection location, payload, URL, risk level, and recommendations for fixing the vulnerability.
- `hostname_timestamp.json`: Structured data for easier secondary processing. ## Overview of Detection Mechanism

1. **Crawling**: Using Playwright to access the target website and extract all domain-related links (including those dynamically generated by JS). 2. **Parameter Extraction**: Identifying parameters from the URL of each page and injection points from form fields. 3. **Context Detection**: Sending probes with specific Payloads (e.g., ``) to analyze the returned content and determine the context where the injection point lies (HTML/attributes/JS). 4. **Precise Attacks**: Selecting appropriate Payloads based on the context, testing them one by one to see if they reflect or execute. 5. **Stored Verification**: After submitting the Payload, traversing all discovered pages in an iterative manner to prevent asynchronous storage. 6. **DOM Detection**: Monitoring Sink functions through browser hooks by injecting Payloads containing `location.hash`/`search` elements, checking if data flows into the dangerous Sink. ## Extended Development

- **Adding New Payloads**: Simply add new entries in the `payloads/` folder corresponding to `*_payloads.py` files.
- **Adding New Contexts**: Modify the `detect_context` function in `detectors/context.py`.
- **Adding New Sink Hooks**: Edit `browser/sink_hook.js` by adding attribute names or function names in the `sinkProps` array. ## Notes

- The scanning targets must be authorized and should only be used for legitimate security testing. > **It is strictly prohibited** to use this tool for unauthorized scans, attacks, or data theft. >
  > Using this tool means you have read, understood, and agreed to all terms in the [Full Disclaimer](DISCLAIMER.md). >
  > Any illegal activities are solely the responsibility of the user; developers do not bear any liability. - High concurrency (`THREADS`) may cause stress on the target server; please set it carefully. - Stored detection involves inserting test data (e.g., `XSSPROBE123`) into the target database; it’s recommended to use this feature in a test environment. - If you want to scan HTTPS sites with invalid certificates, you can set `VERIFY_SSL = False`. ## License

This project is open source under [MIT License](LICENSE). ## Thanks and Authors

- **Author**: AukSoryu · https://github.com/AukSoryu  

- **Learning and Community**: We welcome experienced developers to guide beginners.  

  ![mywechat](README.assets/mywechat.png)

- **Open Source Spirit**: We welcome people to star, fork, issue issues, or make PRs. Let’s make this tool safer and more powerful together. **⭐ If you think this project is helpful, give it a star—it’s the greatest encouragement for the author!**