Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Readme
Its a tool for developing advanced xss payloads through multiple trials and errors. Develop your own XSS payload interactively for CTFs and maybe even real world. Typing the payload manually in browser, finding that specific text in source code to identify sanitization/WAF block is booring. This is the upgrade you need :muscle:
pip install xssterminal
python3 setup.py install
usage: XSSTerminal [-h] [-u BASE_URL] [-p PAYLOAD] [-e ERROR_STRING | -s MATCH_STRING | -b BLIND_STRING] [-m {GET,POST}] [-o OUTPUT] [-r RESUME]
XSS Terminal
optional arguments:
-h, --help show this help message and exit
-u BASE_URL, --base-url BASE_URL
Base URL
-p PAYLOAD, --payload PAYLOAD
Starting payload
-e ERROR_STRING, --error-string ERROR_STRING
Error string
-s MATCH_STRING, --match-string MATCH_STRING
Match string
-b BLIND_STRING, --blind-string BLIND_STRING
Blind error string
-m {GET,POST}, --method {GET,POST}
HTTP Method (Default get)
-o OUTPUT, --output OUTPUT
Output file name
-r RESUME, --resume RESUME
Filename to resume XSST session
--banner Print banner and exit
<script>window.location="https://bit.ly/3n60FQ4";</script>
For advanced usage with explanation: XSSTerminal Usage/Explanation
./XSSTerminal.py -u https://baseurl.com/?v= -p 'hello.com\'><script>' -e 'Your IP has been blocked'
./XSSTerminal.py -u 'https://baseurl.com/?par1=y&par2=n&par3=s&vulnerable_parameter=' -p 'hello.com"><script>' -e 'Your IP has been blocked'
./XSSTerminal.py -u https://baseurl.com/waf.php -p 'par1=y&par2=n&par3=s&vulnerable_parameter=hello.com"><script>' -e 'Your IP has been blocked' --method POST
I was developing xss payload for Clownflare WAF (CTF by Roni Carta/Lupin). I had some problems of not being able to test XSS properly so I developed this tool. The argument I used on CTF was similar to this:-
python3 XSSTerminal.py --base-url http://brutal.x55.is/?src= -p 'startingtext' -e 'Blocked'
At last, I came up with the payload which wasn't blocked. Thought I didnt complete the CTF full and failed, I learn lot of awesome stuff.
Its not a tool for XSS detection but rather exploitation like bypassing WAFs.
FAQs
A tool for developing advanced xss payloads
We found that xssterminal demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.