Friday, July 19, 2024

XSSight – Automated XSS Scanner And Payload Injector


XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.

What is XSS(Cross Site Scripting)?

An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.

XSS classified into three types Reflected XSS, Stored XSS, DOM-Based XSS. To read more about XSS and OWSAP 10 vulnerabilities click here.

XSSight – XSS Scanner

To find the XSS many famous tools available such as Burp, ZAP, Vega, Nikito. Today we are to discuss XSSight powered by Team Ultimate.

You can clone the tool from Github.

Step1: To Download and install XSSight.

XSSight - Automated XSS Scanner And Payload Injector
                                              Download & Install XSSight

Step2: To launch the tool navigate to concern directory and type python

XSSight - Automated XSS Scanner And Payload Injector
                                                               To Launch XSSight

Scan with XSS Scanner

It injects characters like /\ ” <> and checks the source code of the objective website page to perceive how the page handles the info and lets us know whether it is defenseless against XSS.

Select number 1 for XSS Scanner

XSSight - Automated XSS Scanner And Payload Injector
                                                            Scan with XSS Scanner

From the result, we can see the parameter is vulnerable to XSS injection.

Payload Injector

Also, you can try by injecting XSS payloads.

XSSight - Automated XSS Scanner And Payload Injector
                                                                    Payload Injector

Now you can see what sort of payload conflicts with the target.

Defenses against XSS

  • What input do we trust?
  • Does it adhere to expected patterns?
  • Never simply reflect untrusted data.
  • Applies to data within our database too.
  • Encoding of context(Java/attribute/HTML/CSS

Also Read


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles