XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.
What is XSS(Cross Site Scripting)?
XSSight – XSS Scanner
To find the XSS many famous tools available such as Burp, ZAP, Vega, Nikito. Today we are to discuss XSSight powered by Team Ultimate.
You can clone the tool from Github.
Step1: To Download and install XSSight.
Step2: To launch the tool navigate to concern directory and type python xssight.py
Scan with XSS Scanner
It injects characters like /\ ” <> and checks the source code of the objective website page to perceive how the page handles the info and lets us know whether it is defenseless against XSS.
Select number 1 for XSS Scanner
From the result, we can see the parameter is vulnerable to XSS injection.
Also, you can try by injecting XSS payloads.
Now you can see what sort of payload conflicts with the target.
Defenses against XSS
- What input do we trust?
- Does it adhere to expected patterns?
- Never simply reflect untrusted data.
- Applies to data within our database too.
- Encoding of context(Java/attribute/HTML/CSS