XSScrapy – Fast, thorough XSS vulnerability spider

Fast, thorough, XSS spider. Give it a URL and it’ll test every link it finds for cross-site scripting vulnerabilities.

XSS attack vectors xsscrapy will test

  • Referer header (way more common than I thought it would be!)
  • User-Agent header
  • Cookie header (added 8/24/14)
  • Forms, both hidden and explicit
  • URL variables
  • End of the URL, e.g. http://www.example.com/alert(1)
  • Open redirect XSS, e.g. looking for links where it can inject a value of javascript:prompt(1)

XSS attack vectors xsscrapy will not test

  • Other headers

Let me know if you know of other headers you’ve seen XSS-exploitable in the wild and I may add checks for them in the script.

  • Persistent XSS’s reflected in pages other than the immediate response page

If you can create something like a calendar event with an XSS in it but you can only trigger it by visiting a specific URL that’s different from the immediate response page then this script will miss it.

  • DOM XSS

DOM XSS will go untested.

  • CAPTCHA protected forms

This should probably go without saying, but captchas will prevent the script from testing forms that are protected by them.

  • AJAX

Because Scrapy is not a browser, it will not render javascript so if you’re scanning a site that’s heavily built on AJAX this scraper will not be able to travel to all the available links. I will look into adding this functionality in the future although it is not a simple task.

From within the main folder run:

./xsscrapy.py -u http://something.com

If you wish to login then crawl:

./xsscrapy.py -u http://something.com/login_page -l loginname -p pa$$word

Output is stored in XSS-vulnerable.txt.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s