Fast, thorough, XSS spider. Give it a URL and it’ll test every link it finds for cross-site scripting vulnerabilities.
XSS attack vectors xsscrapy will test
- Referer header (way more common than I thought it would be!)
- User-Agent header
- Cookie header (added 8/24/14)
- Forms, both hidden and explicit
- URL variables
- End of the URL, e.g. http://www.example.com/alert(1)
XSS attack vectors xsscrapy will not test
- Other headers
Let me know if you know of other headers you’ve seen XSS-exploitable in the wild and I may add checks for them in the script.
- Persistent XSS’s reflected in pages other than the immediate response page
If you can create something like a calendar event with an XSS in it but you can only trigger it by visiting a specific URL that’s different from the immediate response page then this script will miss it.
- DOM XSS
DOM XSS will go untested.
- CAPTCHA protected forms
This should probably go without saying, but captchas will prevent the script from testing forms that are protected by them.
From within the main folder run:
./xsscrapy.py -u http://something.com
If you wish to login then crawl:
./xsscrapy.py -u http://something.com/login_page -l loginname -p pa$$word
Output is stored in XSS-vulnerable.txt.