XSSight – Automated XSS Scanner And Payload Injector

[jpshare]

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.

What is XSS(Cross Site Scripting)?

An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.

XSS classified into three types Reflected XSS, Stored XSS, DOM-Based XSS. To read more about XSS and OWSAP 10 vulnerabilities click here.

XSSight – XSS Scanner

To find the XSS many famous tools available such as Burp, ZAP, Vega, Nikito. Today we are to discuss XSSight powered by Team Ultimate.

You can clone the tool from Github.

Step1: To Download and install XSSight.

                                          Download & Install XSSight

Step2: To launch the tool navigate to concern directory and type python xssight.py

                                                             To Launch XSSight

Scan with XSS Scanner

It injects characters like /\ ” <> and checks the source code of the objective website page to perceive how the page handles the info and lets us know whether it is defenseless against XSS.

Select number 1 for XSS Scanner

                                                          Scan with XSS Scanner

From the result, we can see the parameter is vulnerable to XSS injection.

Payload Injector

Also, you can try by injecting XSS payloads.

                                                                  Payload Injector

Now you can see what sort of payload conflicts with the target.

Defenses against XSS

  • What input do we trust?
  • Does it adhere to expected patterns?
  • Never simply reflect untrusted data.
  • Applies to data within our database too.
  • Encoding of context(Java/attribute/HTML/CSS

Also Read

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

View Comments

  • Does this run for python 2 or python 3 environment? i tried running the script in python 3.5 environment and got the following error:
    Traceback (most recent call last):
    File "xssight.py", line 6, in
    from __future__ import print_function
    ImportError: No module named 'urllib2'

    • SO i later figured out...it works on only python 2 (urllib in python 2 is replaced by urllib.request in python 3)...but it only scans for xss in the url.......it doesn't go through all input boxes in the web application...

      • Hi Charles,

        Hope you are doing good.In the demonstration we have checked with a simple test page it went fine. We will check it again..

      • It was just a beta release. XSSight is under heavy development. We will add a feature which automatically crawls a website for parameters in XSSight v1.2

  • Stolen tool from github renamed seen it all over facebook just another way to steel others hard work.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago