XSScrapy - Fast, thorough XSS vulnerability spider

Fast, thorough, XSS spider. Give it a URL and it'll test every link it finds for cross-site scripting vulnerabilities.

XSS attack vectors xsscrapy will test

• Referer header (way more common than I thought it would be!)
• User-Agent header
• Cookie header (added 8/24/14)
• Forms, both hidden and explicit
• URL variables
• End of the URL, e.g. www.example.com/<script>alert(1)</script>
• Open redirect XSS, e.g. looking for links where it can inject a value of javascript:prompt(1)

XSS attack vectors xsscrapy will not test

• Other headers

Let me know if you know of other headers you’ve seen XSS-exploitable in the wild and I may add checks for them in the script.

• Persistent XSS’s reflected in pages other than the immediate response page

If you can create something like a calendar event with an XSS in it but you can only trigger it by visiting a specific URL that’s different from the immediate response page then this script will miss it.

• DOM XSS

DOM XSS will go untested.

• CAPTCHA protected forms

This should probably go without saying, but captchas will prevent the script from testing forms that are protected by them.

• AJAX

Because Scrapy is not a browser, it will not render javascript so if you’re scanning a site that’s heavily built on AJAX this scraper will not be able to travel to all the available links. I will look into adding this functionality in the future although it is not a simple task.

From within the main folder run:

./xsscrapy.py -u http://something.com

If you wish to login then crawl:

./xsscrapy.py -u http://something.com/login_page -l loginname -p pa$$word

Output is stored in XSS-vulnerable.txt.

Download XSScrapy

Read More